Security FAQ
Data Security
Are email systems used by TermLynx configured to use TLS?
Yes. All TermLynx personnel use Outlook from Microsoft to exchange emails with its third-party suppliers and with the organization, which is TLS encrypted.
Are web services used by TermLynx configured to TLS?
Yes. All external web services used by TermLynx to exchange data with its third-party suppliers and with the organization, communicate using https, which is encrypted.
Is TermLynx certified or audited against recognized information security or assurance standards?
Yes. TermLynx is Cyber Essentials Certified by Cyber Secure Canada, the Canadian government’s cybersecurity certification program. To be certified, an organization has to prove to a certification body (in TermLynx’s case, Watsec Cyber Risk Management) that it has implemented the necessary security controls set by the Standards Council of Canada. These security controls range from inventory of hardware and software assets, assessing potential threats, developing an incident response plan, to more technical controls such as installing and securely configuring anti-virus/ anti-malware software, as well as firewalls, changing administrative passwords, use of multi-factor authentication, and possessing a data backup and encryption policy.
Are background checks (including criminal checks) being conducted on TermLynx employees?
Background checks (including criminal checks) are conducted on employees.
Does TermLynx prohibit BYOD to access information?
Pursuant to our Data Security Policy, all personal computers and devices must be presented to the Chief Technology Officer for proper job provisioning and security configuration of standard apps, such as browsers, office productivity software and security. Personnel are only permitted to download and install an application on a TermLynx information resource that has an independently validated code sign certificate which attests that the application’s code has not been altered or compromised by a third party. Any application that does not have such code sign certificate must be evaluated and approved by the Chief Technology Officer prior to installation on any TermLynx information resource. All data users are prohibited from using or otherwise accessing TermLynx information resources for any purpose other than conducting TermLynx business. TermLynx employs the use of JumpCloud to securely manage and connect TermLynx users to its information resources and to enforce the security measures set out in the Data Security Policy.
Confidential Information
Does TermLynx Cloud store or process data outside of your organization’s premises? If so, what is the nature of the data being stored or processed?
With your organization’s permission, TermLynx will collect certain anonymous data in order to ensure TermLynx’s optimal performance. Such performance data includes Windows version and operating system information, stack traces leading up to an unexpected crash of TermLynx and certain usage and performance analytics. None of the aforementioned data includes any information contained in documents on which TermLynx is used.
TermLynx will also need to collect certain license information to manage and validate the license(s) granted to the organization. Such license information includes the name of your organization, the number of seats included in the license granted, Windows version information and the unique number(s) identifying the validation request(s) and the computer(s) from which it is (they are) originating. This information is only used to validate the license granted and to collect the aggregate statistics about the license validations. No other information is collected.
Finally, your organization may, at its discretion, send TermLynx certain files and documents in order to diagnose or troubleshoot issues experienced by users when accessing TermLynx.
Is any of your information stored, processed or transmitted by TermLynx to its third party service providers?
Stored Information:
TermLynx collects and stores certain anonymous data in order to ensure TermLynx’s optimal performance. Such performance data includes Windows version and operating system information, stack traces leading up to an unexpected crash of TermLynx and certain usage and performance analytics. TermLynx will also need to collect and store certain license information to manage and validate the license(s) granted to your organisation. Such license information includes the name of your organisation, the number of seats included in the license granted, the business email address of users, Windows version information and the unique number(s) identifying the validation request(s) and the computer(s) from which it is (they are) originating. This information is only used to validate the license granted and to collect the aggregate statistics about the license validations.
Additionally, the prompts and completions data used in TermLynx’s generative content feature may be temporarily stored by the Azure OpenAI Service in the same region as the resource for up to 30 days. This data is encrypted and is only accessible to authorized Microsoft employees for the following very limited purposes: (1) debugging purposes in the event of a failure, and (2) investigating patterns of abuse and misuse to determine if the service is being used in a manner that violates the applicable product terms. The following link provides additional information on what Microsoft considers to be an issue, or otherwise harmful use, of the Azure OpenAI service: Code of Conduct for the Azure OpenAI Service | Microsoft Learn. Termlynx’s generative content feature can be disabled upon request for users that are uncomfortable with the use of Azure OpenAI.
Subject to the limited exception above limited to TermLynx’s generative content feature, none of the aforementioned data includes any information contained in documents on which TermLynx is used or any end-user inputs when using TermLynx (e.g. search queries, selected terms).
Processed and Transmitted Information:
Documents on which TermLynx is used and all end-user inputs are processed through the Microsoft Azure cloud infrastructure. Subject to the limited exception noted above limited to TermLynx’s generative content feature, all of such information is only temporarily cached on the Microsoft Azure servers and is cleared (deleted) after 15 minutes of the user’s inactivity. Subject to the limited exception noted above limited to TermLynx’s generative content feature, none of this information is stored on a database or written on a hard disk. All of the foregoing information (other than generated definitions and their instances) are processed on our Microsoft Azure servers located in Canada (Toronto). Generated definitions (and their instances) are processed via Azure OpenAI which are also located in Canada (Quebec).
Does TermLynx, which utilizes OpenAI for generating definitions, pose a risk to my confidential information?
TermLynx does not send any data to OpenAI (the company). We are part of the Azure OpenAI program. This means that Azure hosts the instances running OpenAI's service. We use Azure OpenAI instead of OpenAI because of its stringent data-privacy policy.
To consult the official data-privacy FAQ for Azure OpenAI, you can click on the following link:
As mentioned above, only the prompts and completions data used to in TermLynx’s generative content feature may be temporarily stored by the Azure OpenAI Service in the same region as the resource for up to 30 days. This data is encrypted and is only accessible to authorized Microsoft employees for the following very limited purposes: (1) debugging purposes in the event of a failure, and (2) investigating patterns of abuse and misuse to determine if the service is being used in a manner that violates the applicable product terms. Otherwise, TermLynx does not store any information contained in documents on which TermLynx is used or any end-user inputs when using TermLynx (e.g. search queries, selected terms).
Additionally, TermLynx does not use any of the other services of Azure OpenAI which could result in the storage of information, namely, validation, and training results data or fine-tuning OpenAI models.
My Organization is not ready to use Azure OpenAI. Can it be disabled?
Termlynx’s generative content feature is only enabled upon request for users that are comfortable with the use of Azure OpenAI.