Policy

security

Our security policy aims to protect the sensitive data of the company and our customers, prevent unauthorized access, ensure the traceability of actions and guarantee regulatory compliance, particularly with Canadian requirements. It is a living and evolving document. 


Whenever possible, we prefer to host information in a data centre located in Canada. Data identified as sensitive by our customers is always stored and processed exclusively in Canada.

Access Management and Authentication
$0.00

Fundamental principles

  • Principle of least privilege : Each user only accesses the resources necessary for his or her tasks

  • Multi-factor authentication (2FA) mandatory on all services where available (in progress)

  • Exclusive use of personal accounts (prohibition of shared accounts, except approved exceptions)

  • Strict separation of environments (development, staging, production)

Development and Source Code
$0.00

General principles

  • Static code analysis to detect security risks and dependency vulnerabilities

  • Automatic deposit scanning for secret leaks

Artificial Intelligence

  • Use private LLMs whenever possible (GPT, Claude Dedicated Instances in Azure, or AWS)

  • Avoiding exposure of sensitive datato public AI services

Communications Security and Infrastructure
$0.00

Data encryption

  • Mandatory HTTPS communications for all web services with valid SSL certificates

  • Cloudflare as a reputable security solution for protecting and optimizing web services

  • Mandatory encryption of data at rest and in transit

Secrets Management

  • Strict prohibition of storing secrets in source code or on workstations

  • Use of reputable secrets management tools (GitHub Secrets, 1Password, dedicated cloud services)

Equipment and Work Environment
$0.00
  • Secure VPN

  • Restricting external storage devices

Access lifecycle

Onboarding

Documented procedure for assigning access

Mandatory Security Policy Training with Signature

Maintenance

Regular audit of all accesses

Checking the appropriateness of access based on current roles

Offboarding

Immediate revocation of access on departures

Deactivation checklist followed by the IT team