1. Valid legal process required
We disclose Customer Data to a government or law-enforcement body only when compelled by valid legal process applicable to us, or where strictly necessary to protect safety or our rights.
2. We scrutinize and narrow
We review each request for validity and scope and push back on overbroad or improper requests. Where we consider a request unlawful, we challenge it, including before a court or tribunal where appropriate. We apply data minimization: we disclose only the minimum information necessary to satisfy a request we are legally compelled to answer, and never more than the request requires.
3. Customer notice
Where we are legally permitted, we notify the affected customer before disclosure so they can seek to limit or challenge it.
4. Documentation and record-keeping
We document every request we receive. For each one we record the authority that made it, the legal instrument relied on, the data sought, the date received, our assessment of its validity and scope, the response we provided (including any refusal or narrowing), and the authorized personnel at Nova System who reviewed and handled it. Only authorized personnel may receive, assess, or respond to a request. We retain these records so that we can conduct internal review, honour the transparency commitment in section 7, and assist a customer who wishes to challenge a disclosure.
5. No bulk or direct access
We do not give any authority direct, bulk, or back-door access to Customer Data.
6. Data location
Customer Data resides in Canada; cross-border requests are handled with applicable safeguards.
7. Transparency
We publish, in aggregate and where lawful to do so, the volume of requests we receive and how we responded. See our Transparency Report.