When you open an account with SMYLS, you agree to our Privacy Policy and Terms & Conditions. These documents represent our agreement with you on how SMYLS will properly handle the information for which you are the custodian.

Anytime you transfer data from your computer to SMYLS, the information is encrypted with the same level of security as your bank uses to transfer information. Read more here: Security FAQ.

SMYLS never stores a client’s plain credit card information directly on SMYLS servers. When you enter a credit card in SMYLS, SMYLS instantly transfers that data to one of our Canadian payment processing partners through encrypted transfer. Our PCI-compliant payment processing partners store that information for SMYLS. The default behaviour of these partners is to store the credit card information so that refunds can be processed, and to manage subscriptions.

Our payment processing partners have been very carefully chosen, and they employ AES-256 encryption for all sensitive merchant and cardholder data, such as name, card numbers, expiry dates and cardholder address in order to meet PCI compliance. We do not store CVV, PIN, EMV, or mag data. Our partners safeguard data in transit with TLSv1.2 and strong cyphers, excluding outdated SSLv3, TLSv1.0, and TLSv1.1 from our systems. This ensures that data is encrypted in transit and maintains integrity. In addition all payment partners are Level 1 PCI-DSS compliant service provider, by undergoing rigorous on-site audits, vulnerability scanning, penetration testing, and adherence to NIST security practices, all aimed at ensuring the highest level of data security compliance with the Payment Card Industry Data Security Standard.

Account owners can control access permissions for each user, as well as terminate access at will.

Administrators, Doctor, and staff each access SMYLS using their own account secured by a unique User ID and Password. In addition, you may use 2FA (2-factor authentication) for an additional layer of security.

To further protect patient information on a computer that maybe accessed by multiple staff members, SMYLS provides the option to ask for a password after an account has been inactive for some time (between 10 minutes to 4 hours).

To avoid irreparable mistakes with data, SMYLS does not allow deleting clients for whom you have created transactions for. You will only be able to delete a client if they have no transactions attached to their name.

Have any questions about this guide or anything else related to security? Feel free to email Privacy and Security Support at privacy@smyls.ca and we’d love to clarify anything you’re unsure on!