CapGRC

Platform security

Security at the heart
of every decision

CapGRC is designed for organizations that manage sensitive information. Here is how we protect your data, access and compliance at every platform level.

100% Canadian hosting

Law 25 compliant

AES-256 + TLS 1.3 encryption

Integrated MFA & SSO

Annual independent pentest

24/7 incident response

This page describes the technical and organizational security controls implemented by CAPTOSEC Inc. to protect the CapGRC platform and its clients' data.

10 control domains

Our security program covers the entire platform lifecycle.

Secure design and development

OWASP · DevSecOps

Security is integrated from the design phase. Every feature is evaluated according to Security by Design principles.

OWASP Top 10 framework applied to every development cycle
Mandatory security code reviews before any production deployment
Automated static (SAST) and dynamic (DAST) analysis in the CI/CD pipeline
Rigorous third-party dependency management and CVE monitoring
Least privilege principle applied to software architecture
Strict environment separation: development, test, production

Authentication and access control

MFA · SSO · RBAC

Platform access is protected by multiple authentication layers. User identity is verified at every login.

Multi-factor authentication (MFA) available for all accounts — mandatory for administrators
SSO support via SAML 2.0 and OpenID Connect (OIDC)
Role and permission management (RBAC) — granular access by module, entity and action
Sessions with automatic expiration and immediate revocation possible
Complete login logging: time, IP address, device
Configurable password policy with complexity control

Identity and access management

IAM · Least privilege

Each user only accesses data strictly necessary for their role. Access to CAPTOSEC internal systems is governed by strict policies.

Access segmentation by organization — complete data isolation between clients
CAPTOSEC administrator access to production environments: limited, traced, subject to approval
Quarterly review of internal access rights
Automatic deactivation of inactive accounts after configurable period
Service account management with secret rotation
Complete audit trail: all sensitive actions are recorded with timestamps

Data protection

AES-256 · TLS 1.3 · Isolation

Data is encrypted at every stage of its lifecycle and strictly isolated between clients.

In-transit encryption: TLS 1.3 on all network communications (HTTPS mandatory)
At-rest encryption: AES-256 for all databases and storage volumes
Logical data isolation by organization (isolated multi-tenant)
Encryption key management separate from data — periodic key rotation
No client data in application logs or monitoring systems
Configurable retention and deletion policies compliant with Law 25

Data location and sovereignty

Canadian hosting · Law 25

All data processed by CapGRC is hosted and remains exclusively on Canadian soil.

Infrastructure hosted in certified data centers in Quebec, Canada
No data transfer to the United States, Europe or any other foreign country
Third-party service providers subject to subcontracting agreements compliant with Law 25
Data flow register maintained and continuously updated
Data Processing Agreement (DPA) provided with every client contract
Architecture compatible with Treasury Board Secretariat (TBS) directives

Infrastructure and resilience

Availability · Backups · Redundancy

CapGRC infrastructure is designed for high availability. Automatic mechanisms ensure service continuity.

Daily automated backups with minimum 30-day retention
Quarterly restoration tests to validate backup integrity
Redundancy of critical components: databases, network, power
Documented and annually tested Business Continuity Plan (BCP)
Recovery Time Objective (RTO) and Recovery Point Objective (RPO) defined contractually
Recovery environment activatable in case of major disaster

Penetration testing and vulnerability management

Pentest · Scan · CVE

Platform robustness is regularly verified through penetration tests and continuous monitoring of known vulnerabilities.

External penetration tests conducted annually by a qualified independent provider
Automated infrastructure vulnerability scanning on a weekly basis
Responsible disclosure program for security researchers
CVE monitoring affecting software components used (SCA)
Critical vulnerability remediation within 48 hours, major within 7 days
Test results shared on request with clients subject to regulatory requirements

Security incident management

PSIRT · Notification · Law 25

A formalized incident management process is in place to detect, contain and notify any security event.

Incident response process documented in 5 phases: detection, containment, eradication, recovery, review
PSIRT team available 24/7 for critical incidents
Privacy incident notification in compliance with Law 25
Security incident register maintained and available on request
Transparent communication: security bulletin published for incidents affecting clients
Systematic post-incident review with corrective action plan

Monitoring and logging

SIEM · Monitoring · Audit trail

The entire platform is continuously monitored. All sensitive events are logged and retained for audit purposes.

Centralized activity logs with minimum 12-month retention
Automatic alerts on abnormal behavior
Configuration file and critical binary integrity monitoring
Availability dashboard accessible to client administrators in real time
Exportable audit logs for your own SIEM tools
Log storage protected against modification (write-once)

Security compliance and governance

Law 25 · ISO 27001 · SOC

CAPTOSEC implements a formalized security governance program aligned with recognized standards.

Privacy Officer designated in compliance with Law 25
Privacy Impact Assessments (PIA) conducted for new processing activities
Information security policies documented, approved and reviewed annually
Mandatory security training for all personnel with access to production systems
Continuous improvement program based on audit results, tests and incidents
Annual security report available to clients on request (NDA required)

Shared responsibility model

CAPTOSEC secures the platform.
You manage your access.

Like any SaaS service, security relies on shared responsibility. CAPTOSEC is responsible for infrastructure, code and operations. Your organization is responsible for managing your users and configuring your access.

Request a demo Talk to our team

DomainCAPTOSECYour org.

Physical infrastructure

—

Data encryption

—

Security updates

—

Penetration testing

—

User management

—

Role configuration

—

MFA activation

Password policy

Do you have questions about our security?

Our teams can respond to your vendor security questionnaires, provide a pentest report (under NDA) or organize a dedicated security review.

Send a security questionnaire Consult the FAQ

Ready to modernize your GRC program?

Request a free demo and discover how CapGRC can transform your approach to governance, risk and compliance.

Request a free demo Contact us

Security at the heartof every decision