Enterprise-Grade Security

Security you can show your inspector.

Every technical safeguard, compliance certification, and data protection measure — documented in one place.

Canadian Data Residency

Your patients' data never leaves Canada.

Toronto & Montréal

Canadian data centres. Full sovereignty.

Canadian Data Residency

PHI stored in Canadian data centres only.

PIPEDA Built In

Compliance is non-negotiable.

Compliance Certifications

✓ Verified

PIPEDA Compliant

All patient data stored exclusively on Canadian servers. Full compliance with federal and provincial privacy legislation.

✓ Active

Multi-Factor Authentication

TOTP-based two-factor authentication for all accounts. Required for admin and supervisor roles, protecting access to sensitive PHI.

✓ Active

AES-256 Encryption

Every piece of protected health information is encrypted at rest and in transit. Zero plaintext PHI anywhere.

✓ Active

7-Year Audit Logs

Tamper-proof, immutable audit trails for every action. Export-ready for provincial inspections at any time.

Multiple layers. No single point of failure.

Defense-in-depth security architecture protecting every layer of your data.

Infrastructure

Canadian cloud infrastructure with network segmentation, firewall rules, and DDoS protection.

Authentication

JWT with short-lived tokens, bcrypt password hashing, account lockout after 5 failed attempts.

Authorization

Role-based access control enforced at the API layer. Multi-tenancy isolation: organization data is architecturally separated.

Data Protection

AES-256 field-level encryption at rest, TLS 1.3 in transit, PHI never appears in application logs.

Audit & Monitoring

Immutable audit trail for every sensitive operation. Automated alerts for failed logins, account lockouts, and access events.

Incident Response

If something goes wrong, we're ready.

Detection

Automated monitoring detects anomalous access patterns in real time. Security team is alerted within minutes.

Containment

Affected systems are isolated immediately. Incident response team activates the documented IR plan.

Notification

Affected organizations notified within 72 hours as required by PIPEDA. Regulatory authorities notified where required.

Documentation Available

For organizations requiring detailed security documentation for vendor assessment, compliance reviews, or board approval.

Security Architecture Whitepaper
PIPEDA Compliance Statement
Data Processing Agreement
Audit Log Export Guide
Subprocessor List
Incident Response Plan
Request Documentation →

Have specific security requirements?

Talk to us. We work with compliance officers and IT teams every day.

Book a Security Review Call →
Book a Free Demo →