Security at CanCertify

1. Our Security Commitment

At CanCertify, we help Canadian businesses achieve and maintain compliance certifications, and we hold ourselves to the same high standards we help our customers meet. Protecting your data is not just a feature; it is fundamental to our mission.

We invest continuously in security infrastructure, processes, and training to ensure your business data, compliance documents, and personal information remain safe and confidential.

2. Data Encryption

2.1 Encryption in Transit

All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS across all our services and use HSTS (HTTP Strict Transport Security) headers to prevent downgrade attacks. Our TLS configuration follows industry best practices, disabling weak cipher suites and supporting only modern cryptographic protocols.

2.2 Encryption at Rest

All data stored on our servers is encrypted at rest using AES-256 encryption. This includes your company data, compliance documents, gap analysis results, and all other information stored in our databases and file storage systems. Encryption keys are managed using a dedicated key management service with automatic key rotation.

3. Infrastructure Security

3.1 Canadian Data Centers

All CanCertify data is stored and processed in Canadian data centers. We use enterprise-grade cloud infrastructure located in Canada, ensuring your data remains within Canadian jurisdiction and is subject to Canadian privacy laws, including PIPEDA and applicable provincial legislation.

Our data centers maintain the following certifications and standards:

• SOC 2 Type II certified facilities
• ISO 27001 compliant operations
• Physical access controls with biometric authentication
• 24/7 monitoring with on-site security personnel
• Redundant power supplies and cooling systems
• Fire suppression and environmental controls

3.2 Network Security

Our infrastructure is protected by multiple layers of network security:

• Web application firewalls (WAF) to protect against common web attacks including SQL injection, cross-site scripting (XSS), and DDoS attacks
• Network segmentation to isolate sensitive systems and limit the blast radius of potential breaches
• Intrusion detection and prevention systems (IDS/IPS) that monitor network traffic for suspicious activity
• DDoS protection and mitigation to ensure service availability

3.3 System Hardening

All servers are hardened according to CIS (Center for Internet Security) benchmarks. We maintain a minimal software footprint, disable unnecessary services, and apply security patches promptly. Operating system and application updates are applied within 24 hours for critical vulnerabilities and within 7 days for other security-relevant updates.

4. Application Security

4.1 Secure Development Practices

Security is integrated into every stage of our software development lifecycle:

• Code reviews with a focus on security for all changes before deployment
• Automated static application security testing (SAST) integrated into our CI/CD pipeline
• Dependency vulnerability scanning to identify and remediate vulnerabilities in third-party libraries
• OWASP Top 10 awareness and prevention built into our development standards

4.2 Authentication and Access Control

We implement robust authentication and access control mechanisms:

• Passwords are hashed using bcrypt with appropriate cost factors and are never stored in plaintext
• JWT-based authentication with short-lived access tokens and secure refresh token rotation
• Role-based access control (RBAC) ensuring users can only access data and features appropriate to their role
• Rate limiting on authentication endpoints to prevent brute-force attacks
• Session management with automatic expiration and secure cookie handling

4.3 Input Validation

All user inputs are validated and sanitized on both the client and server side. We use parameterized queries to prevent SQL injection and employ content security policies (CSP) to mitigate cross-site scripting risks.

5. Compliance and Certifications

5.1 Current Compliance

CanCertify maintains compliance with the following standards and regulations:

• PIPEDA: Full compliance with Canada's federal privacy legislation
• Quebec Law 25: Compliance with Quebec's enhanced privacy requirements
• CyberSecure Canada: Adherence to the Canadian Centre for Cyber Security's baseline security controls

5.2 SOC 2 Type II

We are actively working toward SOC 2 Type II certification for our platform. Our security controls are designed to meet the Trust Service Criteria for security, availability, processing integrity, confidentiality, and privacy. We expect to complete our initial SOC 2 Type II audit by Q4 2026.

5.3 Regular Audits

We conduct regular security assessments to maintain and improve our security posture:

• Annual third-party penetration testing by a qualified Canadian security firm
• Quarterly internal vulnerability assessments and security reviews
• Continuous automated security scanning of our infrastructure and applications

6. Incident Response

6.1 Incident Response Plan

We maintain a comprehensive incident response plan that enables us to detect, respond to, and recover from security incidents promptly. Our incident response team is available 24/7 and follows a structured process:

1. Detection: Continuous monitoring and alerting systems identify potential security events in real time
2. Triage: Incidents are assessed for severity and impact, and the appropriate response team is activated
3. Containment: Immediate actions are taken to contain the incident and prevent further damage
4. Investigation: A thorough investigation is conducted to determine the root cause and scope of the incident
5. Remediation: Vulnerabilities are addressed and systems are restored to a secure state
6. Notification: Affected parties are notified in accordance with PIPEDA breach notification requirements and applicable provincial legislation
7. Post-Incident Review: Lessons learned are documented and used to improve our security controls

6.2 Breach Notification

In the event of a data breach involving your personal information, we will notify you and the Office of the Privacy Commissioner of Canada as required by PIPEDA's mandatory breach notification provisions. We commit to notifying affected users within 72 hours of confirming a breach that poses a real risk of significant harm.

7. Employee Security Practices

• All employees undergo comprehensive security awareness training upon hiring and receive ongoing training at least quarterly
• Background checks are conducted for all employees with access to customer data or production systems
• Access to customer data follows the principle of least privilege, with access granted only when necessary for job responsibilities
• All employee devices used for work are encrypted and managed with endpoint security software
• Access is promptly revoked when employees leave the organization or change roles
• Confidentiality agreements are in place for all employees and contractors

8. Business Continuity

We maintain business continuity and disaster recovery plans to ensure the availability of the Service:

• Automated daily backups with geographic redundancy across multiple Canadian regions
• Backup integrity testing performed regularly to ensure recoverability
• Recovery time objective (RTO) of 4 hours and recovery point objective (RPO) of 1 hour for critical systems
• Annual disaster recovery testing to validate our recovery procedures

9. Third-Party Security

We carefully evaluate the security practices of all third-party service providers before engaging them. Our vendor management process includes:

• Security assessment and due diligence before onboarding any new vendor
• Data processing agreements that require vendors to maintain security standards equivalent to our own
• Regular review of vendor security posture and compliance status
• Preference for vendors with Canadian data residency options and SOC 2 certification

10. Responsible Disclosure

We value the security research community and encourage the responsible disclosure of any security vulnerabilities found in our Service. If you discover a potential security issue, please report it to us at:

• Email: security@cancertify.com

When reporting a vulnerability, please include:

• A description of the vulnerability and its potential impact
• Steps to reproduce the issue
• Any relevant screenshots, logs, or proof-of-concept code

We commit to acknowledging your report within 2 business days and providing a timeline for resolution. We ask that you do not publicly disclose the vulnerability until we have had an opportunity to address it. We will not pursue legal action against researchers who report vulnerabilities in good faith and in compliance with this responsible disclosure policy.

11. Contact Us

If you have any questions about our security practices or would like to request additional information about how we protect your data, please contact us:

• Security Team: security@cancertify.com
• General Inquiries: hello@cancertify.com
• Website: cancertify.ca
• Address: Toronto, Ontario, Canada