Policy
security
Our security policy aims to protect the sensitive data of the company and our customers, prevent unauthorized access, ensure the traceability of actions and guarantee regulatory compliance, particularly with Canadian requirements. It is a living and evolving document.
Whenever possible, we prefer to host information in a data centre located in Canada. Data identified as sensitive by our customers is always stored and processed exclusively in Canada.
Fundamental principles
Principle of least privilege : Each user only accesses the resources necessary for his or her tasks
Multi-factor authentication (2FA) mandatory on all services where available (in progress)
Exclusive use of personal accounts (prohibition of shared accounts, except approved exceptions)
Strict separation of environments (development, staging, production)
General principles
Static code analysis to detect security risks and dependency vulnerabilities
Automatic deposit scanning for secret leaks
Artificial Intelligence
Use private LLMs whenever possible (GPT, Claude Dedicated Instances in Azure, or AWS)
Avoiding exposure of sensitive datato public AI services
Data encryption
Mandatory HTTPS communications for all web services with valid SSL certificates
Cloudflare as a reputable security solution for protecting and optimizing web services
Mandatory encryption of data at rest and in transit
Secrets Management
Strict prohibition of storing secrets in source code or on workstations
Use of reputable secrets management tools (GitHub Secrets, 1Password, dedicated cloud services)
Access lifecycle
Onboarding
Documented procedure for assigning access
Mandatory Security Policy Training with Signature
Maintenance
Regular audit of all accesses
Checking the appropriateness of access based on current roles
Offboarding
Immediate revocation of access on departures
Deactivation checklist followed by the IT team

