Data
Protection

1. Our Data Protection Framework

TriCore Partners is headquartered in Canada, with operations in the United Arab Emirates and engagements involving clients and individuals in the United States. We maintain a data protection framework designed to meet the requirements of the privacy legislation applicable to our operations and to the individuals whose data we process.

Note: TriCore Partners is not established in the European Union, the European Economic Area, or the United Kingdom and has not appointed a representative under Article 27 of the GDPR or the UK GDPR. Our services are not directed to individuals in those territories, and any incidental processing of EU/EEA or UK personal data is handled under the principles of the Canadian, UAE, and US frameworks below.

2. Applicable Data Protection Laws

Canada

• PIPEDA (Personal Information Protection and Electronic Documents Act) — Federal privacy law governing commercial activities
• Quebec Law 25 (Act respecting the protection of personal information in the private sector) — Enhanced requirements for Quebec operations including privacy impact assessments, consent management, and data breach notification

United Arab Emirates

• UAE Federal Decree-Law No. 45 of 2021 (Personal Data Protection Law) — Governs data processing activities in the UAE outside the financial free zones

United States

• CCPA / CPRA (California Consumer Privacy Act / California Privacy Rights Act) — Where we process personal information of California residents
• State consumer privacy laws — We monitor and apply the equivalent rights frameworks adopted by other US states (e.g., Virginia, Colorado, Connecticut, Texas) as they become applicable to our processing activities

3. International Data Transfers

Personal data may be transferred between Canada, the United States, and the United Arab Emirates, and to limited third-party service providers (see Section 4). We protect transfers through:

• Contractual safeguards: Data processing agreements with service providers
• Technical measures: Encryption in transit and at rest
• Access controls: Role-based access ensuring data is only accessible to authorized personnel
• UAE PDPL: Cross-border transfers handled in accordance with UAE PDPL requirements

4. Third-Party Data Processors

We engage a limited number of third-party processors, each bound by data processing agreements:

Anthropic does not use data submitted through their API for model training. All processing is performed under their commercial data processing terms.

5. Data Security Measures

• Password encryption using industry-standard bcrypt hashing
• Session-based authentication with secure, time-limited cookies (24-hour expiry)
• Account lockout protection after failed login attempts
• Role-based access controls separating candidate and partner data access
• Secure file upload handling with type validation and size limits
• Regular review of security practices and platform architecture

6. Data Breach Response

In the event of a personal data breach, TriCore Partners will:

• Investigate and contain the breach immediately upon discovery
• Notify the applicable data protection authority within the timeframe required by law (72 hours under Quebec Law 25, as soon as feasible under PIPEDA, and within the timeframe required by the UAE PDPL)
• Notify affected individuals without undue delay where the breach poses a real risk of significant harm
• Document the breach, its effects, and the remedial actions taken
• Implement measures to prevent recurrence

7. Contact

For data protection inquiries or to report a concern:

TriCore Partners
Attention: Data Protection
Email: [email protected]
Montreal, Quebec, Canada