Security & Trust Center

Infrastructure Security

• TLS 1.3 Encryption - All data in transit protected with industry-leading encryption
• AES-256 at Rest - Database encryption via Supabase enterprise infrastructure

Application Security

• Row-Level Security - PostgreSQL RLS ensures complete data isolation
• Multi-Tenant Isolation - Organization-based data segregation
• Audit Logging - Comprehensive activity tracking and access logs

Access Management

• Role-Based Access Control - Administrator, Manager, Staff, and Requester roles
• SSO Support - Single Sign-On available for enterprise customers

Penetration Testing

We conduct periodic third-party penetration tests to validate our security controls and identify vulnerabilities before they can be exploited. Customers can request access to our latest pen test results under a mutual NDA.

• Periodic Testing - Independent security assessments conducted regularly
• Third-Party Auditors - Tests performed by qualified external security firms
• NDA-Protected Reports - Full findings available to customers under NDA

PIPEDA Aligned

Built with Canadian privacy principles in mind.

• Privacy by Design - Security and privacy considered in every feature
• Transparent Handling - Clear documentation of data processing activities
• User Consent - Consent collected before gathering personal information

Data Residency

Core application data is stored on Canadian servers. Authentication is handled by Clerk, which processes user identity data on US-based infrastructure.

• Clerk Authentication - User identity data processed in the US
• Canadian Privacy Laws - Subject to PIPEDA and provincial privacy legislation

Data Processing Agreement

A Data Processing Agreement is available for customers who require formal documentation of how we process personal data on their behalf. Request a copy to include in your internal procurement or compliance review.

No AI Processing of Customer Data

Your customer data is never sent to third-party AI providers such as OpenAI, Anthropic, or Google AI. No customer data is analyzed by external machine learning models.

• No External AI Processing - Customer data stays within our secure infrastructure
• No Training Data - We never use your data to train AI models

Privacy Principles

• No Data Selling - We never sell, trade, or rent your data to third parties
• Minimal Collection - We only collect data necessary to provide our services
• Transparent Processing - Clear documentation of how we use your information
• User Control - You maintain full control over your data at all times

Your Data Rights (PIPEDA)

• Right to Access - Request a copy of all your personal information
• Right to Correction - Request corrections to inaccurate data
• Right to Deletion - Request deletion of your account and associated data
• Data Portability - Export your data in common formats (CSV, JSON)

Cloud Infrastructure

• Supabase Enterprise - PostgreSQL database with enterprise-grade reliability
• Canadian Data Centers - AWS ca-central-1 region in Montreal
• Auto-Scaling - Automatically scales to handle peak demand
• Global CDN - Fast asset delivery worldwide via edge network

Uptime & Monitoring

• 99.5% Uptime SLA - Guaranteed availability for business-critical operations
• 24/7 Monitoring - Continuous system health monitoring around the clock

Backup & Recovery

• Automated Backups - Daily backups every 24 hours to protect your data
• Disaster Recovery - Documented procedures for rapid recovery