Data Security and Protection is our Priority

Data security and privacy protection is a priority for AGA Benefit Solutions. Beyond complying with the main privacy regulations, we stay on top of industry standards to provide maximum protection to our clients.

We keep improving our security framework and practices, whether by adhering to policies such as Law 25 which modernizes Quebec privacy legislation, or by adopting best-in-class cybersecurity practices.

You will find below a description of our security philosophy and guidelines which govern our systems, your data and the actions of our employees. 

Data Privacy

Respect, a core value for AGA

At AGA, respect materializes through our commitment to abide by cybersecurity and data privacy legislation and best market practices. We implemented stringent governance and procedures to ensure compliance with the requirements of Law 25 in Quebec, PIPA in Alberta and PIPEDA in the other Canadian provinces. AGA is also committed to align with upcoming legislation, such as Bill C-27, and best-in-class data handling practices.
Our philosophy can be summed up in a single sentence: 
Keep as little data as possible, for as little time as possible, with as little access as possible.

Personal Information Collection and Handling

For greater transparency, our Privacy Policy details the situations where we must collect personal information and the circumstances under which this data will be used.

From that page, you can contact our Chief Privacy Officer to ask questions or file a complaint when a situation is considered unacceptable. Additionally, through the AGA Privacy Portal (, you may request to:

  • Access the sensitive information we hold about you,
  • Have your data deleted whenever possible, or
  • Make specific correction to your information.

For How Long Do We Keep Your Personal Information?

We collect the personal information required for providing you with services such as plan enrolment, plan administration or support throughout the life of your plans. 

A data retention calendar specifies the retention timeline for each type of information collected, as required under the various pieces of legislation governing AGA Benefit Solutions. 


  • The data on the employees of an organization, used in the sales and enrolment processes, are retained for a period of 2 years following the performance of the service.
  • The data on brokers are retained for a period of 5 years following the end of the fiscal year to which the data is pertaining.
  • The insurance and financial planning records are retained for a period of 7 years following the execution of the last transaction of a member further to the closure of his/her file.
  • For prescription drug claims only, all the data describing or resulting from the claim must be retained for a period of 10 years following the execution of the transaction. 

How Do We Control Data Privacy?

AGA Benefit Solutions uses the platform to identify, control and act upon any type of sensitive information. This solution enables us to inventory, categorize, classify and monitor sensitive data to ensure their sound and safe use. 

This same platform also forms the backbone of the AGA Privacy Portal (

Beyond controlling sensitive data, AGA adopts the best security practices to protect and store the information. More details are available below under Security of our operations and Security of our platforms.

Finally, our employees are provided with continuous training on cybersecurity and best data and access management practices. Mandatory training sessions and phishing simulations are conducted to raise employee awareness on an ongoing basis.

Data Storage

The data included in member files and plan sponsor files are stored on servers located in Canada. Some data used to support the conduct of AGA business processes can be stored on servers located in North America, and more specifically in Canada or the United States.

Security of Daily Operations

AGA has implemented a series of measures to secure its daily operations.

  • Background checks on all employees upon hiring.
  • Annual signing of a code of ethics and an IT utilization policy describing the best practices to be followed when using technologies and sensitive data. 
  • Governance of operations through various policies, all of which are available on our website, including:
    • policy on terms of use of services
    • policy on abuse and fraud 
    • privacy policy
    • dispute handling policy
    • compensation policy.
  • Management, through a security system, of access to AGA premises and some critical spaces.
  • Mandatory cybersecurity training for employees upon hiring, along with refresher sessions 4 times a year.   
  • Phishing simulations throughout the year, to give our employees the ability to adequately react to this type of threat.
  • Careful selection of our products and suppliers. AGA uses well-known, reputable service providers.
  • Implementation of a policy and procedure for responding to minor or major security incidents. 

Security of Technology Platforms

Likewise, AGA protects the use of its technology platforms with the following initiatives:

  • IT management policy governing the practices to be adopted to secure environments and data.
  • For all employees, connection to the different systems to which they have access through their own unique accounts (designated accounts), secured by password in accordance with the best industry practices.
  • Connection with a designated account to trace the actions taken within each platform.
  • 2-factor connection required on our main systems.
  • Secured vault available to each employee to manage system accounts and encourage complex password generation.
  • Encryption of data at rest and in transit, wherever practicable.
  • Managed detection and response (MDR) solutions used to secure our messaging, files and network.
  • Screening of emails and files to monitor any activity in real time.
  • Response team (also known as SOC) monitoring environment security on a 24/7 basis.
  • Dark web (hackers internet) monitoring tool that continually reviews posts to proactively detect any data leak.
  • Implementation of the best software development and environment configuration practices by our technology teams.
  • Regular updating of our software, platforms and technological assets.
  • Regular testing for external and internal intrusion. 

Service Availability and Business Continuity

We maintain and regularly test our business resumption and technology recovery plans to ensure execution feasibility and meet resumption timelines. We also make backup copies in accordance with best market practices.