SaskTel uses Google Apps for email and collaboration and stores some data in the Google Cloud. It's important for you to understand that some SaskTel data is being stored outside of Canada and therefore may be subject to the laws of the countries where it resides.

SaskTel is aware of the potential concerns of storing data in the Google Cloud. SaskTel has taken steps to protect SaskTel's data and ensure privacy through contractual language in SaskTel's agreement with Google. These agreements contain strong privacy language aimed at protecting the data while it is stored in Google's Cloud.

SaskTel's agreement with Google states that ownership of SaskTel's data stored in the Google Cloud remains with SaskTel. The information sent to the Google Cloud can only be used for the purpose of providing the services SaskTel has subscribed to and is not to be used for any other reason. Google is not permitted to disclose our data without SaskTel's prior consent unless Google is required to respond to a legal order for access.

SaskTel's primary sources of data, such as customer account information, must be stored in a corporately controlled environment. SaskTel recognizes that services provided to SaskTel, such as email, may be processed outside of Canada, but these media must never be used to create a primary database that resides outside of controlled corporate systems.

Data access subject to Canadian and U.S. laws

Google is a well-known and respected supplier of cloud services headquartered in the United States. Emails and personal information may be accessible by the government, courts, law enforcement or regulatory agencies through the laws of the USA.

Canadian authorities have virtually identical powers to those available to American law enforcement via the Canadian Security Intelligence Service Act. Regardless of where information resides, it will always be subject to lawful disclosure to law enforcement or national security bodies. In Canada, this includes search warrants under the Criminal Code of Canada and the Canadian Security Intelligence Service Act, and administrative subpoenas such as those issued under the Income Tax Act. In addition, US agencies can call upon Canada for assistance in law enforcement through mutual legal assistance treaties.

Canada, the United States and other countries engage in a very high level of cooperation that includes mutual legal assistance treaties and ad hoc information sharing. If U.S. agencies are interested in an individual who has ties to Canada, foreign law enforcement can make a formal request of the appropriate Canadian law enforcement entity to obtain the relevant information on their behalf. Most Canadian privacy laws permit this sort of information sharing under treaties or other arrangements.

Data security

Google's suite of applications was designed from the ground up with security of data in mind and SaskTel worked with Google to ensure we are fully satisfied that the data is as technically secure as possible.

Google will work with and cooperate with SaskTel should there be a breach of the data or an investigation underway. It's our data and the accountability rests with SaskTel although from time to time will require the assistance of Google.

How is your data protected?

Security: Google's security organization is broken down into several teams that focus on information security, global security, auditing, and compliance, as well as physical security for protection of Google's hardware infrastructure. These teams work together to address Google's overall global computing environment.

Google employs multiple layers of defense to help protect the network perimeter from external attacks. Only authorized services and protocols that meet Google's security requirements are permitted to traverse the company's network. Unauthorized packets are automatically dropped.

Physical Security Controls: Google's data centers are geographically distributed and employ a variety of physical security measures. The technology and security mechanisms used in these facilities may vary depending on local conditions such as building location and regional risks.

The standard physical security controls implemented at each Google data center include the following: custom designed electronic card access control systems, alarm systems, interior and exterior cameras, and security guards.

Access to areas where systems, or system components, are installed or stored are segregated from general office and public areas, such as lobbies. The cameras and alarms for each of these areas are centrally monitored for suspicious activity, and the facilities are routinely patrolled by security guards. Google's facilities use high resolution cameras with video analytics and other systems to detect and track intruders. Activity records and camera footage are kept for later review.

Access to all data center facilities is restricted to authorized Google employees, approved visitors, and approved third parties whose job it is to operate the data center. Google maintains a visitor access policy and procedures stating that data center managers must approve any visitors in advance for the specific internal areas they wish to visit. The visitor policy also applies to Google employees who do not normally have access to data center facilities. Google audits who has access to its data centers on a quarterly basis.

Google restricts access to its data centers based on role, not position. As a result, most senior executives at Google do not have access to Google data centers.

Access Controls: Google has controls and practices to protect the security of customer information. Google applications run in a multi-tenant, distributed environment. Rather than segregating each customer's data onto a single machine or set of machines, Google consumer and business customer data (as well as Google's own data) is distributed among a shared infrastructure composed of Google's many homogeneous machines and located across Google's data centers. As such, the data has to be reassembled from all the data centers to have any meaning.

Google makes widespread use of two-factor (2-step) authentication mechanisms, such as certificates and one-time password generators. Two-factor authentication is required for all access to production environments and resources through Google's Single Sign On system. Third party applications using Google Apps for Business can also use two-factor authentication. Access rights and levels are based on an employee's job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. An employee's authorization settings are used to control access to all resources, including data and systems for Google's cloud technologies and products.

Incident Management: Google has an incident management process for security events that may affect the confidentiality, integrity, or availability of its systems or data. This process specifies courses of action and procedures for notification, escalation, mitigation, and documentation.

Business Continuity: To minimize service interruption due to hardware failure, natural disaster, or other catastrophe, Google implements a disaster recovery program at all of its data centers. This program includes multiple components to minimize the risk of any single point of failure, including the following:

• Google application data is replicated to multiple systems within a data center, and in some cases also replicated to multiple data centers.
• Google operates a geographically distributed set of data centers that is designed to maintain service continuity in the event of a disaster or other incident in a single region. High-speed connections between the data centers help to support swift failover.
• Management of the data centers is also distributed to provide location-independent, around-the-clock coverage, and system administration.