Security Overview

Security is foundational to our product and operations. This page sets out our principles, high‑level controls, shared responsibilities, and our compliance roadmap.

Security principles

  • Defence in depth: layered controls across infrastructure, application, and process.
  • Least privilege: role‑based access with multi‑factor authentication for privileged roles; strong environment separation.
  • Canada‑hosted by default: customer workloads are hosted in Canada.
  • Human‑in‑the‑loop: critical decisions and exceptions include human review with full audit trails.

Architecture & hosting

  • Modern, segmented cloud architecture hosted in Canadian data centres.
  • Network isolation and strong secrets management practices.
  • Secure engineering lifecycle with automated checks and peer review.

Data protection

  • Encryption in transit and at rest.
  • Access controls: role‑based access and multi‑factor authentication for privileged roles.
  • Endpoint protections: corporate devices use standard hardening and encryption.
  • Upload protections: protective scanning and file validation for uploaded content.

Vulnerability & patch management

  • Regular patching and dependency updates on a defined cadence.
  • Critical vulnerabilities handled on an expedited basis with documented remediation.

Logging, monitoring & retention

  • Comprehensive audit logging of security‑relevant events and administrative actions.
  • Centralized monitoring and alerting for availability and security signals.
  • Logs retained for a limited period consistent with legal/contractual requirements (customer‑specific retention available by agreement).

Incident response

We maintain an incident response plan and conduct periodic exercises. If we confirm an incident involving customer data, we will notify affected customers without undue delay. For contacting the security team or reporting a vulnerability, see Vulnerability Disclosure & Security Contacts.

Business continuity & disaster recovery

  • Backups and recovery procedures are tested periodically.
  • Primary and recovery resources are located in Canada.
  • Documented RTO/RPO targets and customer‑specific BCDR needs are available under contract.

Compliance & certifications

  • ISO/IEC 42001 (AI management): We are aligning our controls to ISO/IEC 42001 and plan to pursue formal certification once sufficient operating evidence is available.
  • SOC 2: planned sequencing (Type I → Type II) after production launch.
  • Canadian privacy: aligned to applicable laws; public‑sector processing performed under customer direction.

Shared responsibility

We secure the platform and core services; customers are responsible for user management, least‑privilege role assignment, and validating the appropriateness of data they upload.