Scope
This addendum sits alongside our Privacy Policy and Terms of Service and describes how physical devices and the data they contain are handled from the moment they leave your premises. It is written for security, legal, and compliance teams doing due diligence.
Chain of custody
- Devices are counted and signed for at collection; the handover is logged against your pickup reference.
- Sealed containers are used for lots above a threshold agreed at booking.
- Every custody transfer — courier, warehouse, wipe station, buyer — is recorded with actor, timestamp, and event.
- The client portal shows the current custody stage for each pickup in real time.
Data destruction standard
We destroy data to NIST SP 800-88 Rev. 1:
- Clear — software-based overwrite for drives that will be reused.
- Purge — cryptographic erase or firmware secure-erase where supported.
- Destroy — physical shredding for failed drives or when the client explicitly requests it.
Every drive is verified by a technician; the outcome and standard used are recorded per serial number and reflected on the Certificate of Data Destruction.
Certificates
- Issued per device or per lot, depending on the job.
- Include a hashed serial identifier, wipe standard, technician attestation, and the pickup reference.
- Verifiable by anyone at alyco.ca/verify using the certificate's serial hash.
- Stored in the client portal for seven (7) years and available for download at any time.
Retention
- Pickup and certificate records — 7 years.
- Device event log — 7 years, linked to the pickup.
- Portal account data — while active; deleted on request (records above are retained separately).
- Application server logs — up to 90 days.
Access controls
- Client portal access is scoped by row-level security — you only see your own records.
- Internal access to production data is limited to authorised ALYCO staff.
- Certificates are stored in a private bucket; downloads use short-lived signed URLs.
- All traffic is encrypted in transit (HTTPS).
Subprocessors
- Lovable Cloud — hosting, database, file storage for the site and portal.
- Resend — outbound transactional email.
- Google — optional sign-in for portal accounts.
We will notify active portal users by email at least 30 days before adding a subprocessor that processes customer data.
Incidents
If we become aware of a security incident affecting your data, we will notify you within 72 hours with what we know, what we're doing, and what — if anything — we recommend you do. Report suspected issues to hello@alyco.ca.
Not a certification
This document describes ALYCO's current operational practices and is maintained by us. It is not an independent audit or certification. When customers require formal attestations we provide references and evidence on request.
Reach out to hello@alyco.ca. We respond within one business day.
THIS PAGE IS MAINTAINED BY ALYCO IMPEX INC. AND DESCRIBES OUR CURRENT PRACTICES. IT IS NOT LEGAL ADVICE.