Rotation Analytics
Clarity from Complexity.
Information Security
How Rotation Analytics protects the confidentiality, integrity, and availability of client data throughout every engagement.
Rotation Analytics handles sensitive operational scheduling data on behalf of our clients. We take this responsibility seriously. This page describes the technical and organizational measures we maintain to protect client data.
Our security practices are designed to meet the expectations of enterprise clients operating in regulated, unionized environments where data confidentiality is not optional.
Infrastructure Security
How Your Data Is Protected
Hosting & Network
Application hosted on Vercel — enterprise-grade edge network with automatic TLS/SSL encryption on all connections.
All data transmitted between your browser and our servers is encrypted in transit using TLS 1.2 or higher.
No client data is stored on local machines, personal devices, or removable media.
Database & Storage
Client data is stored in a dedicated PostgreSQL database hosted by Supabase on Amazon Web Services (AWS) infrastructure.
All data is encrypted at rest using AES-256 encryption.
Database access is restricted to authenticated server-side operations only — no direct client-side database access is permitted.
Row-level security policies enforce data isolation between engagements.
Authentication & Access Control
Administrative access is protected by authenticated credentials and restricted to authorized personnel only.
Client engagement data is accessed exclusively through unique, cryptographically generated status tokens — not through user accounts or passwords.
API keys and service credentials are stored as encrypted environment variables, never committed to source code.
Data Handling
Policies Governing Client Data
Data Residency
Client data is primarily stored and processed within North American data centres. Our database infrastructure is hosted on AWS through Supabase, with primary data centres in North America. Where required by contract, data residency provisions can be discussed during engagement onboarding.
Data Retention
Engagement records — including submitted rotation files, analytical deliverables, and communication records — are retained for one (1) year from engagement completion. Engagements are automatically closed 30 days after the client's first deliverable download. All submitted files and deliverables are permanently deleted at the one-year mark. Records may be deleted earlier upon written request.
Data Minimization
Rotation Analytics collects only the information necessary to perform the commissioned analysis. We do not collect employee names, personal identifiers, or health information. Rotation data is processed in aggregate by line number. We do not use client data for any purpose beyond the scope defined in the service agreement.
Third-Party Processors
Rotation Analytics uses a limited number of third-party service providers to deliver its services. Each processor has been evaluated for security practices and data handling standards. A list of current sub-processors is available upon request.
Incident Response
Breach Notification
In the event of a data breach that poses a real risk of significant harm, Rotation Analytics will:
Notify affected clients via their provided contact information within 72 hours of confirmed breach discovery.
Report the breach to the Office of the Privacy Commissioner of Canada (OPC) as required under PIPEDA.
Where the breach involves Alberta residents, notify the Information and Privacy Commissioner of Alberta as required under PIPA.
Provide a written incident report describing the nature of the breach, data affected, containment measures taken, and remediation steps.
Take immediate corrective actions to contain the breach and prevent recurrence.
Confidentiality
Operational Confidentiality Commitments
Engagement Isolation
Each client engagement is logically isolated. Data from one engagement is never accessible to, shared with, or visible to any other client or engagement.
Personnel Controls
Only authorized personnel with a direct operational need access client data. All personnel with data access are bound by confidentiality obligations.
No Secondary Use
Client data is never used for marketing, benchmarking, training, or any purpose beyond the scope of the commissioned analysis. We do not aggregate client data across engagements.
Deliverable Security
Completed deliverables are accessible through the client's secure status page and remain available for download until the engagement is automatically closed. Engagements close 30 days after the first download. All files are permanently deleted one year from engagement completion. Deliverables are not transmitted via unencrypted email.
Compliance
Regulatory Alignment
Rotation Analytics operates in accordance with the following privacy and data protection frameworks:
PIPEDA
Personal Information Protection and Electronic Documents Act — federal Canadian privacy legislation governing commercial activity.
PIPA (Alberta)
Personal Information Protection Act — Alberta's private-sector privacy legislation, substantially similar to PIPEDA.
Electronic Transactions Act
Alberta's Electronic Transactions Act — governing the validity of electronic agreements, signatures, and records.
Employment Standards
Analytical methodology references applicable provincial employment standards and peer-reviewed fatigue science.
Enterprise Security Enquiries
For organizations with specific security requirements — including requests for our sub-processor list, data processing agreements, or security questionnaire completion — please contact us directly.
This page describes Rotation Analytics’ current security practices as of March 2026. Security measures are reviewed and updated regularly. For the most current information, contact us. See also: Privacy Policy · Terms of Service