Legal & Privacy

Data
Protection

How we safeguard your data across
Canada, the US, and the GCC.

Last updated: April 2026

← Back to Legal & Privacy

1. Our Data Protection Framework

TriCore Partners operates across multiple jurisdictions — Canada, the United States, and the Gulf Cooperation Council (GCC) region. We maintain a unified data protection framework that meets or exceeds the requirements of all applicable legislation in every jurisdiction where we operate.

2. Applicable Data Protection Laws

Canada

  • PIPEDA (Personal Information Protection and Electronic Documents Act) — Federal privacy law governing commercial activities
  • Quebec Law 25 (Act respecting the protection of personal information in the private sector) — Enhanced requirements for Quebec operations including privacy impact assessments, consent management, and data breach notification
  • Provincial legislation — Alberta (PIPA) and British Columbia (PIPA) where applicable

United States

  • CCPA / CPRA (California Consumer Privacy Act / California Privacy Rights Act) — For California residents
  • State-specific privacy laws — Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other state legislation as enacted
  • Federal financial privacy regulations — Gramm-Leach-Bliley Act (GLBA) provisions where applicable to financial institution clients

GCC Region

  • UAE Federal Decree-Law No. 45 of 2021 (Personal Data Protection Law) — Governs data processing activities in the UAE
  • DIFC Data Protection Law (Law No. 5 of 2020) — For activities within the Dubai International Financial Centre
  • ADGM Data Protection Regulations 2021 — For activities within Abu Dhabi Global Market
  • Saudi Arabia PDPL (Personal Data Protection Law, Royal Decree M/19) — For operations involving Saudi data subjects
  • Qatar Law No. 13 of 2016 (Personal Data Privacy Protection) — For Qatar-related data processing
  • Bahrain PDPL (Law No. 30 of 2018) — For Bahrain-related data processing

European Union & United Kingdom

  • GDPR (General Data Protection Regulation) — Where we process data of EU/EEA individuals
  • UK GDPR — Where we process data of UK individuals

3. International Data Transfers

Given our cross-border operations, personal data may be transferred between Canada, the United States, and the GCC. We ensure all international transfers are protected through:

  • Contractual safeguards: Standard contractual clauses and data processing agreements with all service providers and between Tricore entities
  • Adequacy assessments: Evaluation of the data protection standards in receiving jurisdictions
  • Technical measures: Encryption in transit and at rest for all cross-border data transfers
  • Access controls: Role-based access ensuring data is only accessible to authorized personnel in the relevant jurisdiction
  • UAE-specific: Compliance with UAE PDPL requirements for cross-border transfers including ensuring adequate protection in the receiving country
  • Canada-adequate status: Canada is recognized by the EU as providing adequate data protection, facilitating EU-Canada transfers

4. Third-Party Data Processors

We engage a limited number of third-party processors, each bound by data processing agreements:

Provider Purpose Data Location
Anthropic AI-powered CV parsing and bio generation United States

Anthropic does not use data submitted through their API for model training. All processing is performed under their commercial data processing terms.

5. Data Security Measures

  • Password encryption using industry-standard bcrypt hashing
  • Session-based authentication with secure, time-limited cookies (24-hour expiry)
  • Account lockout protection after failed login attempts
  • Role-based access controls separating candidate and partner data access
  • Secure file upload handling with type validation and size limits
  • Regular review of security practices and platform architecture

6. Data Breach Response

In the event of a personal data breach, TriCore Partners will:

  • Investigate and contain the breach immediately upon discovery
  • Notify the applicable data protection authority within the timeframe required by law (72 hours under GDPR/Quebec Law 25, as soon as feasible under PIPEDA, 30 days under UAE PDPL)
  • Notify affected individuals without undue delay where the breach poses a real risk of significant harm
  • Document the breach, its effects, and the remedial actions taken
  • Implement measures to prevent recurrence

7. Contact

For data protection inquiries or to report a concern:

TriCore Partners
Attention: Data Protection
Email: info@tricorep.com
Montreal, Quebec, Canada

Data protection questions?

Contact us at info@tricorep.com.

Get in Touch