CHILD SAFETY POLICY

Zero tolerance.
No exceptions.

Where child sexual abuse material is concerned, we stop, preserve, report, and cooperate. No client is too large.

We don’t go looking through client systems. That’s not what we’re hired for, and honestly, it’s not something we’d want to be hired for. But IT work is IT work, and every so often a technician runs into something they weren’t looking for — during a remote session, a backup check, a log review. Most of the time, what to do next depends on what it is. With child sexual abuse material, it doesn’t. Canadian and U.S. law both require us to report credible evidence to the authorities, and looking the other way would be a crime in itself. We wouldn’t look the other way anyway.

1. Why this policy exists

Technology work puts people in proximity to other people’s data. Remote sessions, log reviews, backup validation, endpoint monitoring, ticket triage — any of these can incidentally surface things a technician did not go looking for. Most of what gets seen is mundane or lawful. Some of it is not. Anyone who has worked in this field for long has a story.

Lumitiv acknowledges this openly rather than pretending otherwise. Our technicians will, over time, occasionally encounter evidence of activity that is illegal, unethical, or harmful. How we respond is a defining question for us as a company.

For most categories, our response is contextual — we assess, we escalate, we consult counsel, we follow our Incident Response and Acceptable Use policies.

For Child Sexual Abuse Material (CSAM) and child exploitation, there is no contextual assessment. We stop, we preserve, we report, and we cooperate with law enforcement. No exceptions. No client is too large. No revenue figure changes the outcome.

This policy exists to:

  • Protect children by ensuring credible evidence reaches authorities who can act on it.
  • Comply with statutory reporting obligations in Canada and the United States.
  • Give Lumitiv personnel clear, unambiguous instructions so no one has to improvise in a moment of shock.
  • Protect Lumitiv, its personnel, and its clients from the legal, ethical, and reputational consequences of inaction or mishandling.

2. Scope

This policy applies to:

  • All Lumitiv employees, contractors, and subcontractors.
  • All Lumitiv service delivery activities, regardless of client location, system location, or engagement type.
  • All client systems, networks, accounts, and data that Lumitiv accesses, manages, monitors, or supports.

This policy applies whether Lumitiv encounters suspected material on a client system, on a Lumitiv-owned system, or through a third-party service integrated with our delivery operations.

3. Definitions

Child. Any person under the age of 18. Where a specific statute uses a different age threshold, the more protective definition applies.

Child Sexual Abuse Material (CSAM). Any visual depiction — photograph, video, rendering, or digital file — that portrays a child engaged in sexually explicit conduct, sexualized nudity, or sexual exploitation. This includes:

  • Real imagery of real children.
  • Altered, composited, or “deepfaked” imagery of real children.
  • Fully synthetic or AI-generated imagery depicting children.
  • Text-based material where possession, distribution, or creation is criminalized under applicable law (this category is jurisdiction-specific and requires legal review).

Child Exploitation Indicators. Non-image evidence of child sexual abuse, grooming, solicitation of minors, sextortion, trafficking, live-streamed abuse, or the facilitation or organization of any of the above.

Discovery. Incidental encounter with suspected material during the course of legitimate contracted service delivery. Lumitiv does not perform proactive scanning of client personal content outside contracted, lawful scopes of work.

Credible Suspicion. A reasonable IT or cybersecurity professional, viewing the available objective indicators, would conclude the material may be CSAM or evidence of child exploitation. Forensic confirmation is not required. Uncertainty resolves toward reporting, not away from it.

Reportable Event. Any instance of credible suspicion identified under this policy.

4. Zero tolerance — the commitments that do not bend

Lumitiv will not:

  • Knowingly provide, manage, secure, host, back up, or support any system used to create, store, access, transmit, or promote CSAM or child exploitation material.
  • Withhold a report in exchange for client retention, contract value, or any commercial consideration.
  • Warn a client or user that a report has been made, unless expressly cleared to do so by law enforcement or legal counsel.
  • Treat a credible suspicion as anything less than a Reportable Event, regardless of who the client is.

Lumitiv will:

  • Report every credible suspicion to the appropriate authority within the timeframes required by law.
  • Preserve non-content evidence (logs, metadata, identifiers) to the extent legally permitted and technically feasible.
  • Cooperate fully with lawful investigations, warrants, subpoenas, and production orders.
  • Support personnel who identify and report suspected material.

Knowing violation of this policy by any employee or contractor is grounds for immediate termination and may itself be reportable to authorities.

5. Statutory reporting framework

Lumitiv’s reporting obligations are not discretionary. They arise from statute. The following is Lumitiv’s current understanding and must be confirmed and kept current by legal counsel.

5.1 Canada

Canada’s An Act respecting the mandatory reporting of Internet child pornography by persons who provide an Internet service (the “Mandatory Reporting Act”) imposes duties on persons who provide Internet services to the public. These include:

  • Reporting to the designated organization (the Canadian Centre for Child Protection, operating cybertip.ca) as soon as feasible after being advised of an Internet address where CSAM may be available to the public.
  • Notifying a peace officer and preserving computer data where there are reasonable grounds to believe CSAM has been transmitted, made available, or accessed.
  • Preserving relevant computer data for 21 days after the notification.
  • Not disclosing the making of the report in a manner that could prejudice an investigation.

Additional statutes — including the Criminal Code offences relating to child pornography and luring — may create further obligations depending on circumstance.

Legal determination required. Whether Lumitiv qualifies as a “person who provides an Internet service” under the Mandatory Reporting Act depends on the specific services delivered to a given client. Lumitiv’s legal counsel shall provide and maintain a written determination on this question. Until that determination is on file, Lumitiv shall default to the stricter interpretation and report as though the Act applies.

5.2 United States

Under 18 U.S.C. § 2258A, electronic communication service providers and remote computing service providers that obtain actual knowledge of apparent CSAM on their systems must report to the CyberTipline operated by the National Center for Missing & Exploited Children (NCMEC). Key obligations include:

  • Reporting as soon as reasonably possible, and in any event no later than 60 days after obtaining actual knowledge unless a shorter timeline applies.
  • Preserving the contents of the report and any commingled visual depictions, data, and other information for at least 90 days, extendable to 180 days on request.
  • Restricting access to preserved material to personnel with a legitimate need.

Legal determination required. Whether Lumitiv qualifies as a covered provider under § 2258A depends on the services delivered to a given U.S.-based client or on U.S.-based systems. Lumitiv’s legal counsel shall provide and maintain a written determination. Until that determination is on file, Lumitiv shall default to the stricter interpretation.

5.3 Jurisdictional primacy

When a Reportable Event is identified, the jurisdiction of primary reporting is determined by:

  1. Location of the affected client entity.
  2. Location of the system, account, or data where the material was observed.
  3. Location of any identified victim, if known.
  4. Apparent location of the suspect user, if known and distinguishable from the client.

If factors point to Canada, cybertip.ca and the RCMP National Child Exploitation Crime Centre (NCECC) are the primary channels. If factors point to the United States, NCMEC is the primary channel. Where factors point to both, both reports are filed. Where an identified victim appears to be in immediate danger, emergency services (911) are contacted first, irrespective of jurisdictional analysis.

6. If you encounter suspected material — what to do

This section is written for the technician in the moment. Follow it in order.

1. Stop. Close the file, the directory, the log pane, the session — whatever exposed the material. Do not open further items to “confirm.” Do not attempt to identify the victim. Do not attempt to identify the suspect beyond what is already visible.

2. Do not copy, download, screenshot, forward, print, or transmit the suspected content. Ever. Through any channel. Including to Lumitiv internal systems, chat tools, or email. Handling suspected CSAM outside of law enforcement channels is itself a criminal offence in both Canada and the United States.

3. Note minimally identifying, non-content details that will allow the incident to be located again under lawful authority:

  • File name and path (without opening the file).
  • Host identifier, account identifier, IP address, or device name.
  • Timestamp of encounter.
  • A brief factual description of what caused your suspicion.
  • Cryptographic hash, if one is already visible in the course of normal work — but do not hash the content yourself if doing so requires reading or copying it.

4. Escalate immediately. Same business day is the ceiling, not the target. Escalate to:

  • Primary: Compliance Officer.
  • Backup: Managing Director.
  • If both are unreachable and the matter cannot wait: any member of Lumitiv senior leadership.

Use voice or in-person contact for initial escalation. Follow with a written summary to the incident intake channel designated by the Compliance Officer. Do not include the suspected material or descriptions of its content beyond what is strictly necessary for triage.

5. Preserve access to logs and metadata. Do not delete, modify, or clean up system state. Do not run maintenance that would rotate relevant logs. If automated processes may affect relevant data, flag this to the Compliance Officer immediately.

6. Do not notify the client, the user, or anyone outside the Lumitiv escalation chain. This includes coworkers not involved in the response. Premature disclosure can prejudice an investigation and may itself be unlawful.

7. Stay available. You may be asked to provide a written statement, answer questions from counsel, or assist law enforcement. You will not be asked to re-examine the material.

7. Confirmation, reporting, and preservation — what happens after escalation

7.1 Confirmation of credible suspicion

Upon escalation, the Compliance Officer (or, if unavailable, the Managing Director) determines whether credible suspicion exists. This determination:

  • Is made by a minimum of two people where feasible, one of whom is the Compliance Officer or Managing Director.
  • Does not require viewing the suspected material. It is based on the reporter’s description and the surrounding technical indicators.
  • Resolves in favour of reporting where any reasonable doubt exists.

The determination, the reasoning, and the timestamps are documented.

7.2 Legal counsel engagement

External legal counsel with relevant criminal and privacy expertise is engaged immediately upon confirmation of credible suspicion. Counsel advises on:

  • Reporting mechanics and timing.
  • Client notification decisions.
  • Preservation scope and duration.
  • Law enforcement interaction.
  • Privilege considerations.

7.3 Reporting

Reports are filed promptly and in any event within the timeframes identified in Section 5. Lumitiv maintains active intake accounts with:

  • Canadian Centre for Child Protection (cybertip.ca).
  • RCMP National Child Exploitation Crime Centre (NCECC).
  • NCMEC CyberTipline (cybertipline.org).

Reports include the information specified in Section 6, step 3, plus any additional context requested by the receiving authority. Reports do not include the suspected content itself unless law enforcement specifically directs otherwise through lawful process.

7.4 Preservation

Preservation begins at the moment of credible suspicion and continues for the longer of:

  • The statutory minimum for the applicable jurisdiction (21 days for Canada’s Mandatory Reporting Act; 90 days, extendable to 180, under U.S. § 2258A).
  • The duration specified by law enforcement.
  • Twelve months, as a Lumitiv default floor.

Preserved material is stored under access controls limited to the Compliance Officer, Managing Director, and designated counsel. A preservation log records what was preserved, when, by whom, and under what access restrictions. Chain-of-custody documentation is maintained throughout.

Preservation covers non-content artifacts (logs, metadata, system state, hashes). Suspected content itself is not copied into Lumitiv preservation stores. It is preserved in place to the extent technically feasible, with access restricted, until released by law enforcement.

8. Client communication and consequences

8.1 Default posture

The default is that Lumitiv does not notify the client, the user, or any implicated party about a Reportable Event until:

  • Law enforcement has cleared notification, or
  • A defined review by legal counsel concludes that notification does not prejudice investigation and is consistent with applicable non-disclosure requirements.

This default reverses the v1.0 policy’s posture and reflects that premature notification is both a common prosecution-integrity problem and a potential statutory violation.

8.2 Service consequences

Upon confirmation of credible suspicion, Lumitiv may, on counsel’s advice:

  • Suspend access to affected systems or accounts.
  • Suspend or terminate the client engagement.
  • Decline to provide further services to implicated individuals.

Where the client organization is not itself implicated (for example, a rogue employee on a corporate endpoint), Lumitiv works with the client, once notification is cleared, to scope an appropriate remediation.

Where the client organization is implicated, service is terminated. No transition services, no data handover that is not legally required, no continued relationship.

8.3 Cooperation with investigations

Lumitiv cooperates fully with lawful investigations. This includes responding to warrants, subpoenas, production orders, and preservation requests. Requests are routed through legal counsel. Informal or unverified requests are declined pending verification.

9. Personnel — obligations and protections

9.1 Obligations

All Lumitiv employees and contractors must:

  • Complete mandatory training on this policy at onboarding and annually thereafter.
  • Formally acknowledge this policy in writing at onboarding and at each annual update.
  • Follow Section 6 in the event of discovery.
  • Never copy, share, describe in detail, or discuss suspected material outside formal escalation channels.
  • Refuse any client instruction that would require violating this policy, and escalate the instruction immediately.

9.2 Good-faith reporter protection

Lumitiv guarantees that personnel reporting suspected material in good faith — including reports that turn out to be mistaken — will not face adverse employment consequences for the report itself. This protection extends to reports that prove unfounded after investigation.

Retaliation against a good-faith reporter by any Lumitiv employee, contractor, or manager is itself grounds for termination.

9.3 Wellbeing and support

Incidental exposure to CSAM or child exploitation material can cause lasting psychological harm. Lumitiv guarantees the following to any employee or contractor who encounters such material in the course of their work:

  • Immediate paid time away from the affected work, for as long as needed.
  • Access to a licensed mental health professional at Lumitiv’s cost, with no requirement to disclose the content or context of the exposure to Lumitiv.
  • Accommodation of schedule or workload adjustments during recovery.
  • Assurance that declining to continue work on the affected engagement will not count against the individual.

This support is offered as of right, not on request. The Compliance Officer initiates the offer at the point of escalation.

9.4 Training

Training is delivered by a qualified external provider and covers:

  • Recognition of CSAM and child exploitation indicators in the technical contexts Lumitiv operates in.
  • The step-by-step actions in Section 6.
  • Legal obligations and consequences.
  • Preservation and non-handling principles.
  • Wellbeing resources.

Training completion records are retained for the duration of employment plus seven years.

10. Governance

This policy is owned by the Compliance Officer and approved by the Managing Director. It is reviewed:

  • Annually on a scheduled cycle.
  • Immediately upon any material change to applicable law in Canada or the United States.
  • Immediately following any Reportable Event, to capture operational lessons.

The Managing Director may update reporting channels, contact details, and operational procedures to reflect evolving agency processes without requiring a full policy reissue. Substantive changes to obligations, scope, or thresholds require formal reissue and re-acknowledgment by personnel.

Lumitiv participates, where appropriate and beneficial, in industry initiatives that advance child protection practices within managed services. Specific affiliations are listed in an appendix maintained by the Compliance Officer.

11. Related policies and documents

This policy operates alongside, and is cross-referenced by:

  • Acceptable Use Policy
  • Incident Response Policy
  • Data Retention and Preservation Policy
  • Privacy Policy (PIPEDA and applicable U.S. state law compliance)
  • Employee Handbook
  • Service Agreement (Master Services Agreement and Schedules)
  • Vendor and Subcontractor Code of Conduct

In the event of conflict between this policy and another Lumitiv policy on the subject of CSAM or child exploitation, this policy governs.

12. Acknowledgment

Every Lumitiv employee and contractor acknowledges this policy in writing at onboarding and at each annual review. Client organizations acknowledge this policy as part of the Master Services Agreement onboarding package.

13. Contact

Questions, concerns, or reports under this policy:

  • Primary: [email protected]
  • Backup: Managing Director (direct line provided in the employee handbook)
  • After hours, urgent: On-call senior leadership channel

If a child appears to be in immediate danger, call 911 before contacting Lumitiv.