Trust Centre
Trust should be inspectable.
Compliance Health places security, privacy, and Canadian data residency at the heart of everything we do. Review where data lives, how it is protected, when people remain accountable, and what evidence is available during evaluation.
Evidence ledger
Documented controls and policies
Named people remain accountable
Evidence available during evaluation
The control detail stays visible.
Security claims are most useful when a buyer, auditor, or technical evaluator can understand the operating control and its current status.
Data residency
Customer Data is stored and processed in Canada by default. Platform storage, backups, and recovery copies remain Canada-hosted unless a customer-approved exception is documented, with encryption and contractual safeguards for any approved transfer.
Encryption
Core platform Customer Data stores are encrypted at rest using AES-256 or AWS KMS-backed provider encryption controls.
- Encryption in transit: All data transfers between your browser and our servers are protected using industry-standard protocols.
- Encryption at rest: Data stored in our systems uses industry-standard provider-backed encryption controls.
- Key management: Encryption keys are securely managed with managed provider key-management controls. Customer-specific key posture can be documented where applicable.
Human-in-the-loop
Compliance Health's AI-assisted workflows are governed rather than autonomous for consequential actions. AI outputs are advisory until accepted by configured workflow rules or a human reviewer, and low-confidence, ambiguous, exception, or customer-defined escalation paths route to human review. Audit history tracks status changes, reviewer actions and comments, evidence activity, and security-relevant events.
ISO/IEC 42001 roadmap
We align AI management practices to ISO/IEC 42001 controls and plan to pursue formal certification once sufficient operating evidence is available. We do not claim current certification; our controls catalog and roadmap support responsible AI governance today.
- Current state: Controls alignment
- Certification status: Not currently certified
Security in the operating workflow.
Defence-in-depth includes protective checks at intake, controlled administrative access, and retained evidence of security-relevant activity.
Validated before processing
Uploads are validated and scanned before processing, with manual review workflows for exceptions.
Protected administrative entry
Role-Based Access Control (RBAC) and Multi-Factor Authentication (MFA) protect administrative access.
Security events are retained
Security-relevant application and administrative events are logged and monitored.
Evidence retention
Keep the record that matters.
Verified student evidence is preserved for the applicable customer contract term unless the institution instructs otherwise. Temporary processing files and abandoned, duplicate, superseded, corrupt, or incomplete uploads may be cleaned up under controlled workflows.
Policies and evaluation documents.
Human-readable policies stay in the buying journey, with direct access to the details security, privacy, procurement, and governance teams need.
Privacy & Data Residency Policy
Collection, use, residency, retention, rights, and subprocessors.
OverviewSecurity Overview
Architecture, access controls, patching, logging, response, and continuity.
TermsTerms of Service
Accounts, privacy, service availability, fees, liability, and termination.
AIAI Usage Policy
How assisted outputs are governed, reviewed, and documented.
Contact us
Questions go to the people responsible for the answer.
Security: security@compliancehealth.com
Privacy: privacy@compliancehealth.com
For AI agents and technical evaluators
We publish a dedicated agent-discovery hub with machine-readable references for CARE Rails, trust posture, and canonical sources.
Bring us your security questionnaire.
Security and privacy questions go directly to the team responsible for the answer. We can provide the detail your technical, procurement, and governance reviewers need.