Data Next Step

en_CA English
en_CA English fr_CA Français

Follow Us:

Facebook-f Google Linkedin-in

Data next step

Menu

Data next step

Menu

Effective Date: April 1, 2026 

Last Updated: April 1, 2026 

1. Purpose and Scope

Data Next Step (“DNS”, “we”, “our”, or “us”) is committed to protecting the privacy of all individuals whose personal information we collect and process in the course of our operations. 

This Privacy Policy explains how DNS collects, uses, retains, discloses, and protects personal information in accordance with: 

  • Quebec’s Act to modernize legislative provisions as regards the protection of personal information (Law 25) 
  • Applicable Canadian privacy laws 
  • ISO/IEC 27001:2022 – Annex A.5.34 (Privacy and protection of PII) 

 

This Policy applies to: 

  • Our software-as-a-service platform offerings 
  • Business, customer, partner, and any support interactions with DNS 

2. Accountability and Governance

DNS maintains internal governance policies, including access controls, privacy impact assessments where applicable, employee confidentiality obligations, and vendor due diligence. 

We have designated a person responsible for the protection of personal information (“PRP”), who also serves as Data Protection Officer (“DPO”). This function is held by the person with the highest authority at DNS, in accordance with Law 25. 

Privacy complaints are handled by the compliance team and escalated where necessary to legal counsel. DNS will investigate and respond to all privacy-related complaints within 30 days as required under Law 25. 

Role: Data Protection Officer / Responsable de la protection des renseignements personnels (PRP) 
Contact: security@datanextstep.com 
Website: https://datanextstep.com 

3. Information We Collect

DNS collect only the information necessary to fulfil legitimate business purposes in accordance with consent and applicable laws. We do not knowingly collect personal information from minors under age 14. If such information is discovered, it will be securely deleted unless retention is legally required.   In situations where your consent is required, DNS will ask for it explicitly. You may withdraw your consent at any time, unless we are legally required to retain certain information. 
  1. Information You Provide Directly 
    • Name, email address, phone number
    • Company, job title
    • Information submitted through forms, contracts, or support requests
    • Account credentials when registering for services
  2. Information from Third Parties 
    • Service providers, vendors, or partners assisting us with IT, analytics, or marketing activities

4. Purpose of Processing

We process personal information for the following purposes: 

  • To provide, maintain, and improve our products and services 
  • To communicate with customers, partners, and vendors 
  • To fulfil contractual and legal obligations 
  • To protect against unauthorized access, misuse, or security incidents 
  • To comply with audit and record-keeping requirements under ISO 27001 and Law 25 

 

Access is limited to employees and authorized sub-contractors based on the least privilege principle. 

5. Legal Basis for Processing

DNS processes personal information only when a lawful basis applies under Law 25 and applicable privacy laws. These include: 

  • Consent — when you voluntarily provide information or authorize processing (e.g., forms, cookies, newsletters, marketing communications, or account registration). 
  • Contractual necessity — when processing is required to provide access to DNS services, maintain accounts, support customers, or fulfil contractual obligations. 
  • Legitimate business interests — when processing is required for internal operations (e.g., fraud prevention, product analytics, security monitoring, or service improvement) and when such interests do not override an individual’s privacy rights. 
  • Legal or regulatory obligations — when DNS must retain or disclose information to comply with tax laws, audit requirements, legal requests, or incident reporting obligations. 

 

Where consent is the lawful basis, it is freely given, informed, and revocable at any time. DNS evaluates the legal basis for each processing activity and uses contract or legitimate interest instead of consent whenever consent is not legally required, to ensure transparency and minimize consent fatigue. 

6. Retention and Destruction

Personal information is retained only as long as necessary for the purposes stated above or as required by law. Retention schedules are managed through DNS’s Information Retention and Disposal Policy. Once no longer needed, data is securely deleted or anonymized. 

7. Security Measures

DNS applies administrative, technical, and physical safeguards to protect personal information, including: 

  • Encryption in transit and at rest 
  • Role-based access controls and least-privilege principles 
  • Multi-factor authentication 
  • Regular vulnerability and risk assessments 
  • Secure data-handling and disposal procedures 
  • Privacy by design — privacy requirements are integrated into the development and procurement of systems and processes from the outset, in accordance with Law 25 

 

These controls are reviewed and tested as part of our ISMS and Law 25 privacy governance program. 

8. Your Rights

Under Law 25 and applicable privacy laws, you have the following rights: 

  • Right of access — to know whether we hold personal data about you and obtain a copy. 
  • Right to rectification — to correct inaccurate or incomplete information. 
  • Right to withdraw consent — to stop processing where consent is the legal basis. 
  • Right to data portability — to receive your data in a structured format, when applicable. 
  • Right to deletion (erasure) — to request deletion of your data where retention is no longer justified. 
  • Right to be informed of automated decision-making, if applicable. 
  • Right to file a complaint — you may file a complaint with the Commission d’acces a l’information du Quebec (CAI) at www.cai.gouv.qc.ca if you believe your privacy rights have not been respected. 

 

Data portability requests may be sent through: NextIT Portability Request

All other requests may be sent to security@datanextstep.com

We will respond to all requests within 30 days of receiving the information required to process them, in accordance with applicable law. Additional time may be required where permitted by law, in which case you will be notified. 

9. Disclosure of Personal Information

We do not sell or rent your personal information. Disclosure occurs only when: 

  • Required by law or court order 
  • Necessary for service delivery by authorized third-party providers (such as hosting providers, authentication services, analytics platforms, payment processors, and customer support tools), under written agreements ensuring confidentiality and security 
  • Explicit consent has been obtained 
10. International Transfers

Data Next Step primarily stores data in Canada. 

Prior to any transfer of personal information outside Quebec, DNS conducts a Privacy Impact Assessment (PIA / Evaluation des facteurs relatifs a la vie privee – EFVP) to evaluate the level of protection offered in the destination jurisdiction. Transfers proceed only when appropriate protection is confirmed and are governed by written agreements with the receiving party, as required under Law 25. 

11. Cookies and Tracking Technologies

Our website uses cookies for functionality and analytics. Non-essential cookies (including analytics and marketing cookies) are only placed with your prior, explicit consent, obtained through our consent management tool before any such cookies are set. 

You may withdraw or modify your consent at any time through the cookie preference center available on our website. Note that disabling certain cookies may affect site functionality. Essential cookies required for the operation of the site do not require consent. 

12. Incident Response and Breach Notification

In the event of a privacy or security incident involving personal information, DNS will follow its Incident Response Plan and, where required by Law 25, notify the Commission d’accès à l’information du Québec (CAI) and affected individuals within applicable statutory timelines. 

DNS maintains a confidentiality incident register in accordance with its obligations under Law 25. 

13. Updates to this Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. The updated version will be posted on our website with a revised “Effective Date.” 

For material changes to this Policy, DNS will provide advance notice via email or a prominent notice on our website. Where required by law, renewed consent will be sought before such changes take effect. 

14. Contact Us

If you have questions or wish to exercise your privacy rights, please contact: 

Data Next Step 
Attn: Data Protection Officer 
security@datanextstep.com 
https://datanextstep.com 

In the event that any discrepancy exists between the English original version of the privacy policy and the French version; the English version shall prevail.