Security & Compliance

Enterprise-grade security. Built for Canadian regulatory obligations.

Every layer of SecureVault's infrastructure is designed to meet the security and compliance requirements of Canada's most regulated industries — from law societies to OSFI-regulated financial institutions.

Security Architecture

Four pillars of security.

Encryption

  • AES-256-GCM encryption for all data at rest
  • TLS 1.3 for all data in transit
  • Zero-knowledge architecture — keys never leave your control
  • Per-file encryption keys, not shared keys
  • Encrypted backups to separate Canadian region

Infrastructure

  • Hosted exclusively on AWS ca-central-1 (Montréal / Toronto)
  • Disaster recovery on AWS ca-west-1 (Calgary)
  • No data routed through or stored in the United States
  • VPC isolation — no shared tenancy at the network layer
  • Web Application Firewall (WAF) on all endpoints

Access Control

  • SAML 2.0 Single Sign-On (SSO)
  • Active Directory & Azure AD integration
  • Mandatory MFA options (TOTP, hardware keys)
  • Role-based access control (RBAC) with granular permissions
  • Session timeout and forced re-authentication policies
  • IP allowlisting for enterprise accounts

Audit & Monitoring

  • Immutable audit log of every file action
  • Real-time DLP scanning for sensitive identifiers
  • Automated anomaly detection and alerting
  • Incident response playbooks and breach notification workflow
Compliance Coverage

Every major Canadian regulatory framework.

PIPEDA

Personal Information Protection and Electronic Documents Act

SecureVault's privacy-by-design architecture satisfies PIPEDA's 10 Fair Information Principles. Automated access logs and privacy impact assessments available on demand.

PHIPA

Personal Health Information Protection Act (Ontario)

Agent agreements available for health information custodians. Breach notification workflow built in. All PHI stored exclusively on Canadian servers.

FINTRAC

Financial Transactions and Reports Analysis Centre

7-year retention with automated scheduling. Immutable audit trail for AML/ATF record-keeping obligations. Search-ready for regulatory examination.

OSFI B-10

Office of the Superintendent of Financial Institutions

Canadian data residency documentation and signed DPA provided for federally regulated entities managing third-party technology risk under OSFI's B-10 guideline.

CPA Canada

Chartered Professional Accountants of Canada

Professional-grade client portal experience that satisfies CPA Rules of Professional Conduct for client confidentiality. Income Tax Act 7-year retention included.

Law Societies

Provincial Law Society Requirements

Solicitor-client privilege protected under Canadian jurisdiction only. Trust account document management and Law Society compliance reports available.

Why Canadian jurisdiction matters — the CLOUD Act

The US Clarifying Lawful Overseas Use of Data (CLOUD) Act requires US-based technology companies to provide data to US federal agencies regardless of where the data is stored. This applies to Dropbox, Google, Microsoft, and every other US provider — even those with Canadian data centres.

SecureVault is a Canadian company operating exclusively on Canadian infrastructure. We are not subject to the CLOUD Act. Canadian legal process is required to compel any data disclosure — and you will be notified to the extent permitted by law.

FactorUS Cloud ProvidersSecureVault
CLOUD Act exposureYes — US law appliesNo — Canadian jurisdiction only
Data stored in CanadaOptionalAlways — by design
Governing lawUS Federal lawCanadian law only
Notification on legal accessNot guaranteedMaximum permitted by Canadian law
PIPEDA / PHIPA compliancePartialFull — built-in

Need a compliance package for your security review?

Enterprise clients receive a full security documentation package including DPA, data residency certificate, and penetration test summaries.

Talk to Enterprise Sales Request Documentation