Security & compliance
Most firms say “confidential.” We publish how.
A claim file holds medical details, statements, and surveillance of identifiable people. Treating it casually is a legal exposure for you and for us. Here is the control set — the same one our own portal enforces.
TLS 1.2+
Encrypted in transit
Every submission, upload, and delivery moves over TLS. Claim material never travels by open email — intake happens on this site, exchange happens in the portal.
AES-256
Encrypted at rest
Case files, media, and reports are stored encrypted. Storage keys are managed separately from application credentials.
RBAC
Least-privilege access
Access is role-based and scoped to assignment. An investigator sees the files they work; nobody carries blanket access by default.
SHA-256
Evidence integrity
Original media is hashed at ingest. Any copy can be verified against the original's fingerprint — the basis of a defensible chain of custody.
AUDIT
Every touch logged
File views, uploads, downloads, and status changes land in an append-only audit log reviewed by the principal. We can tell you who touched your file, and when.
CANADA
Canadian data residency
Case data is hosted in Canada. Cross-border processing, where required, is disclosed and bound by data-protection agreements. TODO(owner): confirm production hosting region before launch.
RETAIN
Retention with an end date
Files are retained to a written schedule that meets Ontario regulatory minimums and client contract terms, then destroyed securely — with a destruction log to prove it.
BREACH
A plan for the bad day
A written breach-response plan: containment, risk assessment, notification to affected parties and the federal privacy regulator as soon as feasible, and a 24-month breach register.
Honesty clause
We claim no certification we haven't earned. No SOC 2 badge, no purchased award seals — just controls we actually run, documented in SOPs your vendor management team can read.