Property data treated like bank data.

Annual third-party audit of security, availability, processing integrity, confidentiality, and privacy controls.

Information Security Management System with documented controls across 14 domains.

Privacy Information Management extension — controls for personal data handling and DSAR workflows.

Cloud-specific security controls covering segregation, virtual environments, and customer responsibilities.

Quality Management System covering change control, incident management, and continuous improvement.

Personal Information Protection and Electronic Documents Act — Canada’s federal privacy law.

European Union General Data Protection Regulation — applied platform-wide, not retrofitted.

Health Insurance Portability and Accountability Act controls for sensitive resident health data.

Encryption

Encrypted at rest. Encrypted in flight. Encrypted in backups.

AES-256 at rest for every database column. TLS 1.3 in flight across every API. Customer-managed keys available on the enterprise tier. Nothing leaves our infrastructure unencrypted.

• AES-256 column-level encryption at rest
• TLS 1.3 enforced on every API endpoint
• Customer-managed KMS keys (enterprise tier)
• Encrypted, geo-redundant continuous backups

Access control

Role-aware permissions, mandatory MFA, zero-trust by default.

Every API call, every screen, every record check is scoped by role and tenant. OAuth 2.0 / OIDC for staff. Optional SSO. Mandatory MFA for admin accounts. Time-boxed elevated sessions for sensitive ops.

• Role-based access control across 12+ personas
• OAuth 2.0 / OpenID Connect for staff sign-in
• Optional SAML / SCIM for enterprise SSO
• Mandatory MFA for admin, board, and finance roles

Audit & monitoring

Immutable audit log. Every action, every operator.

Every administrative action is logged with operator, timestamp, IP, request ID, and before/after diff. The audit log is append-only — even we can’t rotate it. The auditor walks in and reads exactly what happened.

• Append-only audit log across all admin operations
• Operator, IP, timestamp, request ID on every event
• Real-time anomaly detection on privileged actions
• 24/7 monitoring with on-call rotation

Privacy by design

DSAR in hours, not weeks. Data minimization, not vacuuming.

Data subject access requests fulfilled with one click — export, transfer, or delete. We collect the minimum required for each feature, retain only as long as legally required, and document every processing purpose in our ROPA.

• One-click DSAR fulfillment (access, rectification, deletion)
• Data minimization by design — 14 processing categories documented
• Retention policies enforced automatically at the schema layer
• Bilingual privacy notices (English / fr-CA)

Resilience

99.99% uptime SLA. Disaster recovery the auditor actually wants.

Geo-redundant continuous backups. Point-in-time recovery to any minute in the last 30 days. Documented runbooks for every failure mode. Quarterly disaster recovery drills with measured RTO/RPO.

• 99.99% uptime SLA (52 minutes annual downtime budget)
• Geo-redundant backups across two regions
• Point-in-time recovery to any minute in last 30 days
• Quarterly DR drills with documented RTO/RPO

Secure development

SAST every pull request. DAST every release. Pentests every year.

Static analysis runs on every PR. Dynamic application security testing runs on every release. Third-party penetration test annually with findings published to enterprise customers under NDA.

• SAST scanning on every pull request
• DAST scanning on every staging release
• Annual third-party penetration testing
• Dependency vulnerability scanning continuously