CapGRC

Security & hosting

Your GRC hosted and secured in Canada

Your GRC data is among the most sensitive in your organization. At CapGRC, security is not a feature — it's our foundation.

Canada only

Hosting

AES-256

Encryption

99.9% SLA

Availability

Daily

Backups

Hosting exclusively in Canada

All your data — risks, compliance evidence, audit reports, personal information — is stored in data centers located in Canada. No transfer to foreign servers, ever.

Data centers in Ontario and Quebec
Law 25 data sovereignty compliance
Applicable to Treasury Board requirements
No dependency on American cloud providers
Data Processing Agreement (DPA) available

Data location

Production data

Ontario, Canada

Primary backups

Quebec, Canada

Secondary backups

Ontario, Canada

Logs and audit trails

Canada (primary region)

CDN (static assets)

Canadian points of presence

Security architecture

End-to-end encryption

AES-256 encryption of data at rest
TLS 1.3 for all communications in transit
Backup encryption
Key management with automatic rotation

Access control

Mandatory multi-factor authentication (MFA)
Granular RBAC per module, data and entity
SSO / SAML with Azure AD, Okta, Google Workspace
Complete logging of all user actions

Infrastructure protection

Web application firewall (WAF)
Automatic DDoS protection
Continuous vulnerability scanning
Annual penetration testing by third parties

Continuity & resilience

Daily backups with 30-day retention
RTO < 4 hours, RPO < 1 hour
Geographic redundancy in Canada
Documented business continuity plan (BCP)

Monitoring & detection

24/7 infrastructure monitoring
SIEM with real-time alerts
Behavioral anomaly detection
Incident reports within 24 hours

Compliance & certifications

Law 25 compliant hosting (data in Canada)
SOC 2 Type II certification in progress
Responsible disclosure policy (public ISSP)
Annual third-party security audits

Compliance & certifications

Law 25

Compliant

Exclusive hosting in Canada, DPIA completed, DPO designated, active incident register.

SOC 2 Type II

In progress

Audit initiated in 2025 — certification expected Q3 2026. Trust Services Criteria controls already in place.

ISO 27001

Planned

ISO 27001 certification program planned for 2026 in parallel with SOC 2.

PIPEDA / Bill C-27

Compliant

Processing of personal information compliant with the Personal Information Protection Act.

99.9%

99.9% guaranteed uptime

Redundant infrastructure in Canada, automatic daily backups with 30-day retention, and 24/7 on-call team for critical incidents.

Request security report

Questions about our security?

Our team can provide our complete security policy, audit reports and answer your vendor security questionnaires.

Contact the security team Contact us