1. Purpose and Commitment
Lumitiv, based in Calgary, Alberta, operates as a managed IT service provider (MSP) delivering remote support, system maintenance, monitoring, cybersecurity services, and related technical functions to clients in Canada and the United States.
We maintain a strict zero-tolerance policy for any content or activity involving Child Sexual Abuse Material (CSAM), child exploitation, grooming, solicitation, trafficking, or any form of child sexual abuse. For the purposes of this policy, a child is defined as any individual under the age of 18.
Lumitiv does not proactively monitor or scan client personal content outside the scope of contracted IT and security services. However, if, during legitimate service delivery activities (such as remote access sessions, log analysis, endpoint monitoring, patch management, or incident response), we encounter credible indicators of CSAM or child exploitation, we will act immediately to:
Stop work in the affected area.
Preserve relevant system metadata and logs where feasible and legally appropriate.
Avoid downloading, copying, duplicating, or redistributing any suspected material.
Escalate internally and report to appropriate authorities without exception.
Lumitiv is not a law enforcement agency and does not conduct independent criminal investigations. Our role is limited to responsible escalation, reporting, preservation of non-content evidence, and cooperation with lawful authorities.
All actions taken under this policy will align with applicable privacy legislation, including PIPEDA and relevant provincial statutes in Canada, and applicable federal and state privacy laws in the United States.
This policy exists to protect children, comply with law, uphold ethical standards, and mitigate risk to Lumitiv, our personnel, and our clients.
2. Definitions
Child Sexual Abuse Material (CSAM): Any visual depiction (images, videos, digital files), including real, altered, synthetic, or AI-generated content, that portrays a child engaged in sexually explicit conduct, sexualized nudity, or exploitation. This includes possession, access, distribution, or promotion.
Child Exploitation Indicators: Grooming communications, solicitation of minors, sextortion, live-streamed abuse, trafficking recruitment, or facilitation of sexual abuse.
Discovery: Incidental findings encountered during legitimate contracted IT or cybersecurity activities. Lumitiv does not perform proactive surveillance of non-business client content unless explicitly contracted for lawful compliance or forensic services.
Credible Suspicion: Objective indicators that a reasonable technology or cybersecurity professional would interpret as potential CSAM or child exploitation based on observable evidence. It does not require forensic confirmation or criminal proof.
3. Prohibited Activities and Client Expectations
Lumitiv will not knowingly provide, manage, administer, secure, host, or support any system, network, account, or service that is used to create, store, access, transmit, or promote CSAM or child exploitation material.
Any such activity:
Violates Lumitiv service agreements.
May result in immediate suspension of services.
May result in termination of the client relationship.
Will be referred to appropriate authorities.
Lumitiv personnel are prohibited from accessing, viewing, copying, or handling suspected CSAM beyond what is minimally necessary to identify and report credible suspicion.
This policy forms part of Lumitiv’s broader Service Agreement and Acceptable Use framework.
Lumitiv assumes no responsibility for criminal conduct undertaken by clients or their users. Our obligation is limited to lawful reporting and cooperation.
4. Detection During Service Delivery
Incidental detection may occur during:
Remote support sessions.
Routine system maintenance.
Security monitoring (EDR, SIEM, anomaly alerts).
Log analysis or forensic review.
Backup validation or storage review.
Other contracted activities requiring system access.
Lumitiv does not conduct broad or indiscriminate scanning of client personal content unless explicitly contracted and legally authorized.
Upon credible suspicion:
Immediately cease activity in the affected area.
Do not open additional files or expand exposure.
Document minimal identifying details (file names, paths, timestamps, system identifiers, cryptographic hashes where available).
Do not download, screenshot, duplicate, or retain suspected content.
Preserve system logs and metadata only.
Escalate immediately to the Managing Director or appointed Compliance Officer.
Employees must report suspicions immediately and no later than the same business day. Urgent situations involving imminent risk must be escalated without delay.
5. Mandatory Reporting Procedures
Lumitiv maintains a zero-exception reporting policy. Any credible suspicion of CSAM or child exploitation discovered during service delivery will be reported as soon as reasonably practicable after forming that suspicion.
Reporting Framework
Reporting is conducted according to jurisdiction:
Primary International Intake (when appropriate):
National Center for Missing & Exploited Children (NCMEC) CyberTipline (cybertipline.org)
Where required by jurisdiction, direct reporting to Canadian or U.S. law enforcement may occur prior to or in parallel with NCMEC submission.
Canada-Specific Reporting
Royal Canadian Mounted Police (RCMP)
National Child Exploitation Crime Centre (NCECC)
Local or Provincial Police Service
Canadian Centre for Child Protection (cybertip.ca)
Provincial Child Protection Authorities if immediate risk is suspected
United States Reporting
Federal Bureau of Investigation (FBI)
Local or State Law Enforcement
Internet Crimes Against Children (ICAC) Task Forces
Emergency Situations
If a child appears to be in immediate danger, emergency services (911) will be contacted.
Report Content
Reports may include:
IP addresses
Account identifiers
Timestamps
File metadata
Hash values (if available)
Context of incidental discovery
Suspected content itself will not be transmitted or retained unless explicitly required by law enforcement.
Evidence Preservation
Lumitiv will:
Preserve relevant logs and metadata.
Avoid retaining prohibited material.
Maintain records in accordance with privacy and retention laws.
Comply with lawful requests (e.g., warrants, subpoenas, production orders).
Preserved non-content records will be retained consistent with Lumitiv’s data retention policy or until released by law enforcement.
6. Employee and Contractor Responsibilities
All employees and contractors must:
Complete annual training on recognizing exploitation indicators.
Follow strict least-privilege access controls.
Adhere to safe handling protocols.
Report suspicions immediately.
Refrain from copying, sharing, or discussing suspected material outside formal reporting channels.
Exposure to such material may result in access to wellbeing or counselling support.
Failure to follow this policy may result in disciplinary action, up to termination.
Personnel may be required to formally acknowledge this policy as part of employment or contractor agreements.
7. Client Communication and Consequences
Upon reporting:
Lumitiv may notify the designated client contact unless doing so would interfere with an investigation or violate legal instructions.
Notification will not occur if the contact appears implicated.
Lumitiv will follow law enforcement guidance regarding timing and scope of notification.
Affected systems or accounts may be suspended immediately.
Client relationships may be terminated.
Lumitiv will cooperate fully with lawful investigations.
8. Governance and Policy Review
This policy is reviewed annually or upon legal or regulatory change.
The Managing Director retains authority to update reporting channels or operational procedures as required by evolving agency processes or jurisdictional requirements without requiring full policy reissuance.
Lumitiv may participate in industry initiatives to improve child protection practices within the managed services sector.
For questions regarding this policy, contact: [email protected]