Trust Centre

Trust should be inspectable.

Compliance Health places security, privacy, and Canadian data residency at the heart of everything we do. Review where data lives, how it is protected, when people remain accountable, and what evidence is available during evaluation.

We state current controls plainly, identify roadmap items as roadmap items, and do not claim certifications we have not earned.

Evidence ledger

Data residency
Canada by defaultCustomer data, backups, and recovery copies remain Canada-hosted unless a customer-approved exception is documented.
Human review
Accountability stays with peopleConsequential, ambiguous, low-confidence, exception, and customer-defined outcomes can route to human review.
Evidence trails
Actions remain inspectableStatus changes, reviewer actions, comments, evidence activity, and security-relevant events are retained for review.
AI management
Controls now; certification laterPractices align to ISO/IEC 42001 control themes. Compliance Health does not claim current certification.
Source

Documented controls and policies

Owner

Named people remain accountable

Review

Evidence available during evaluation

The control detail stays visible.

Security claims are most useful when a buyer, auditor, or technical evaluator can understand the operating control and its current status.

01In place

Data residency

Customer Data is stored and processed in Canada by default. Platform storage, backups, and recovery copies remain Canada-hosted unless a customer-approved exception is documented, with encryption and contractual safeguards for any approved transfer.

02In place

Encryption

Core platform Customer Data stores are encrypted at rest using AES-256 or AWS KMS-backed provider encryption controls.

  • Encryption in transit: All data transfers between your browser and our servers are protected using industry-standard protocols.
  • Encryption at rest: Data stored in our systems uses industry-standard provider-backed encryption controls.
  • Key management: Encryption keys are securely managed with managed provider key-management controls. Customer-specific key posture can be documented where applicable.
03In place

Human-in-the-loop

Compliance Health's AI-assisted workflows are governed rather than autonomous for consequential actions. AI outputs are advisory until accepted by configured workflow rules or a human reviewer, and low-confidence, ambiguous, exception, or customer-defined escalation paths route to human review. Audit history tracks status changes, reviewer actions and comments, evidence activity, and security-relevant events.

04Roadmap

ISO/IEC 42001 roadmap

We align AI management practices to ISO/IEC 42001 controls and plan to pursue formal certification once sufficient operating evidence is available. We do not claim current certification; our controls catalog and roadmap support responsible AI governance today.

  • Current state: Controls alignment
  • Certification status: Not currently certified

Security in the operating workflow.

Defence-in-depth includes protective checks at intake, controlled administrative access, and retained evidence of security-relevant activity.

Uploads

Validated before processing

Uploads are validated and scanned before processing, with manual review workflows for exceptions.

Access

Protected administrative entry

Role-Based Access Control (RBAC) and Multi-Factor Authentication (MFA) protect administrative access.

Monitoring

Security events are retained

Security-relevant application and administrative events are logged and monitored.

Evidence retention

Keep the record that matters.

Verified student evidence is preserved for the applicable customer contract term unless the institution instructs otherwise. Temporary processing files and abandoned, duplicate, superseded, corrupt, or incomplete uploads may be cleaned up under controlled workflows.

Policies and evaluation documents.

Human-readable policies stay in the buying journey, with direct access to the details security, privacy, procurement, and governance teams need.

Contact us

Questions go to the people responsible for the answer.

For AI agents and technical evaluators

We publish a dedicated agent-discovery hub with machine-readable references for CARE Rails, trust posture, and canonical sources.

Bring us your security questionnaire.

Security and privacy questions go directly to the team responsible for the answer. We can provide the detail your technical, procurement, and governance reviewers need.