Security Overview

Security is foundational to our product and operations.

This page sets out our principles, high-level controls, shared responsibilities, and our compliance roadmap.

Security principles

  • Defence in depth: layered controls across infrastructure, application, and process.
  • Least privilege: role-based access with multi-factor authentication for privileged roles; strong environment separation.
  • Canada-hosted by default: customer data, backups, and recovery copies are hosted in Canada unless a customer-approved exception applies.
  • Human-in-the-loop: consequential workflow outcomes require human review or an approved deterministic control path, with audit trails.

Architecture & hosting

  • Modern, segmented cloud architecture with customer workloads hosted in Canadian regions by default.
  • Network isolation and strong secrets management practices.
  • Secure engineering lifecycle with automated checks and peer review.

Data protection

  • Encryption in transit, plus core platform Customer Data stores encrypted at rest using AES-256 or AWS KMS-backed provider encryption controls.
  • Access controls: role-based access and multi-factor authentication for privileged roles.
  • Endpoint protections: corporate devices use standard hardening and encryption.
  • Upload protections: uploads are validated and scanned before processing, with manual review workflows for exceptions.
  • Evidence retention: verified student evidence is retained for the applicable customer contract term unless the institution instructs otherwise.

Vulnerability & patch management

  • Regular patching and dependency updates on a defined cadence.
  • Critical and high vulnerabilities have defined remediation or documented risk-acceptance targets.
  • Automated assurance includes SAST, dependency/SBOM checks, secret scanning, container image scanning, and CI/CD controls.
  • External penetration testing or authenticated DAST is planned or customer-specific evidence unless a current report is attached.

Logging, monitoring & retention

  • Security-relevant application and administrative events are logged and monitored.
  • Centralized monitoring and alerting for availability and security signals.
  • Logs retained for a limited period consistent with legal/contractual requirements (customer-specific retention available by agreement).

Incident response

We maintain an incident response plan and conduct periodic exercises. If we confirm an incident involving customer data, we will notify affected customers without undue delay and within applicable contractual or regulatory timelines.

Business continuity & disaster recovery

  • Backups and recovery procedures are tested periodically.
  • Primary and recovery resources are located in Canada.
  • Customer-specific RTO/RPO targets can be documented under contract and depend on the final architecture and support plan.

Compliance & certifications

  • ISO/IEC 42001 (AI management): We are aligning our controls to ISO/IEC 42001 and plan to pursue formal certification once sufficient operating evidence is available.
  • SOC 2: roadmap planning after production launch; no current SOC 2 report is claimed.
  • Canadian privacy: aligned to applicable laws; public-sector processing performed under customer direction.

Shared responsibility

We secure the platform and core services; customers are responsible for user management, least-privilege role assignment, and validating the appropriateness of data they upload.

Trust by design

Built for regulated care teams

Compliance Health is designed for high-trust environments: Canadian residency, accountable automation, and clear evidence trails.

Visit Trust Centre

Canada-hosted

Customer data stored and processed in Canada (AWS ca-central-1).

Human oversight

Human-in-the-loop review with auditable checkpoints for each decision.

Audit-ready evidence

Evidence trails and logs designed for inspections and internal governance.

ISO/IEC 42001 roadmap

AI management controls in place; certification roadmap in progress.