Security Policy

Multi-Health Systems, Inc. (MHS) values, respects and protects all personal data of its customers, the data of their clients, and data collected through electronic commerce practices with the highest level of security. We agree to use such information for the purposes outlined and to hold such information within the strictest confidence. This applies to both on and off-line information that is collected and used in the course of our activities.

MHS servers are located in a secure facility, which is monitored 24x7x365 through CCTV in a pass-card access controlled facility. Access is governed strictly by designated administrators with all necessary security checks completed on personnel. An external security consulting firm assists with security as it relates to the physical location but are not administrators and as such have no access to any data or the means to access it.

MHS conducts all background and security screening for all personnel prior to qualification as administrators. Furthermore, MHS communicates its information security policies to its personnel and provides privacy and security training.

MHS servers use Advanced Encryption Standard (AES) 128/256-bit for data-in-transit and data-at-rest encryptions to secure data. For secure data transmission between websites, the TLS 1.2 protocol is used, which works with the most current web browsers encrypting information exchanged over a network and protecting against disclosure to third parties. To prevent data tampering, data-at-rest encryption is used to maintain data integrity.

Personal information, understood to be any information that identifies or could be used to identify an individual, is protected by MHS through a number of safety measures encompassing all systems and interactions where personal information is collected and stored. MHS actively monitors all secure information reserves (including but not limited to Order Management Systems (OMS), digital data, ecommerce platforms, and hard copy records) to ensure security measures are maintained at the highest level of security, meeting all regulatory and legal requirements.

Access to data collected through online services, including but not limited to scoring services, is restricted to qualified users and requires an ID and password. Registration of MHS customers or their designated administrators (“Administrators”) is rigorous with defined qualification user levels. Identity is confirmed by a Qualification Form which is a binding test user agreement coupled with a review of qualifications and/or certification.

After you have completed registration, MHS will as a matter of policy keep on file a record of (i) the products and services you have purchased; (ii) your certification status; (iii) your contact information; and (iv) any aggregate de-personalized information including test data, indefinitely unless otherwise stipulated. Please note that once de-personalized, any test results or related data will no longer be considered personal information and will remain an anonymous record with no baring or impact on the individual. In this state, it will no longer be considered a record associated with any one individual and will not be subject to regulations related to personal information and the rights of an individual.

All MHS data (including Administrators and test user information, test data, including responses to test items, and report text) are stored in an industry standard secure database. Access to this data is strictly controlled by MHS through its qualified administrators. To further protect the data transmitted to MHS electronically for assessment services, MHS’ online scoring services encrypt access passwords, which means that identifiable data is made accessible only the customer or their designated administrator (“Administrator”). The examinee data will be stored in a server with Advanced Encryption Standard (AES) which is physically located in the US and complies with the Privacy Shield Framework.

MHS holds any aggregate de-personalized information including test data, indefinitely. Personalized examinee data is kept for 5 days; however, the aggregate (raw data), remains indefinitely which allows the administrator to regenerate the report upon request through their online account. The qualified client/administrator can delete from the database at any time.

In the event that MHS becomes aware of a security breach, MHS will promptly investigate the matter and notify the applicable parties. An investigation will be conducted without delay, consistent with (1) legitimate needs of law enforcement and the Privacy Commissioner’s Office; (2) measures necessary to determine the scope of the breach; (3) efforts to identify the individuals affected; and (4) steps to identify cause of breach and restore the reasonable integrity of our secure server.

All data is backed up on a weekly and monthly basis onto data centres. Access is governed strictly by designated administrators with all necessary screen checks completed on personnel. An external security consulting firm assists with security as it relates to the physical location, but are not administrators and as such have no access to any data.

Formal information risk analyses are carried out for critical systems and environments as part of business continuity initiatives and are reviewed regularly. The evaluation of each threat takes into account its business impact, likelihood of occurrence, and what options are available to eliminate or mitigate the identified risk. MHS is committed to maintaining a low risk threshold and takes active steps to proactively mitigate risk through extensive planning and implementation of improved measures.

MHS maintains current disaster recovery plans which address data results, personal information, and online services to ensure minimal impact to customers using applications while maintaining the strictest level of security throughout. For further information regarding compliance specific to these elements please contact the Privacy Policy Office at MHS.


Eligibility to purchase restricted products requires the completion of a Qualification Form which requires the validation of identity, credentials, and other information as deemed necessary. Certification results are retained by MHS but are de-identified and never disclosed to a third party, including an employer, without prior consent.

Assessment Reports

MHS retains aggregate, non-person-specific data obtained from the processing of MHS products and services, for research and statistical purposes for internal use only, its affiliates, subsidiaries, licensees, successors, assigns, suppliers, and advertisers. Your identity is kept strictly anonymous with all data adhering to the record retention security protocols and standards. The collection of personal information is limited to that necessary for the purposes identified. Consent for the collection of data is obtained as follows:

  • Implied consent is given at the time an assessment is administered. Qualified persons overseeing the assessment are bound by ethical standards recognized globally.
  • Express consent is provided for sensitive data collected for e-commerce activities and/or qualified designations.

Personal data of any kind related to customers or their clients are never sold or provided to any third parties. MHS holds all information collected in strict confidence taking active measures to protect any and all data. MHS is committed to continuously enhancing its overall security through ongoing improvements and constant monitoring. MHS holds the ability for internal administrators employed by MHS to audit records accessed within the system as a mechanism of monitoring and breach control.