Security & Compliance

Built for trust.

Your organization handles sensitive employee data. We built Pryvera with security as the foundation, not an afterthought.

95%
Canadian Government Security Score
10/10
Security Test Categories Pass
256-bit
Bank-Grade Encryption
0
Known Vulnerabilities

Compliance Certifications

SOC 2 Aligned

Trust Service Criteria: Security, Availability, Confidentiality, Privacy

PHIPA Compliant

Personal Health Information Protection Act (Ontario)

PIPEDA Compliant

Personal Information Protection and Electronic Documents Act (Canada)

Technical Safeguards

Encryption

SIN and banking data encrypted with bank-grade encryption before database storage. TLS 1.2+ enforced for all data in transit. Database connections use SSL.

Tenant Isolation

Every organization gets a completely separate PostgreSQL database. No shared tables. Your data is physically isolated from all other tenants.

Canadian Data Residency

All data hosted exclusively in AWS ca-central-1 (Montreal). No data ever leaves Canadian borders. Backups stored in Canada.

Access Control

9 granular roles with deny-by-default authorization. Every API route secured. Permission checked on every request. Audit logged.

Multi-Factor Authentication

Azure AD SSO with MFA or built-in TOTP (Authy, Google Authenticator compatible). Account lockout after 5 failed attempts.

Audit & Monitoring

Every create, update, and delete operation logged with user, timestamp, and IP. Security events tracked separately. 7-year retention.

Incident Response

Documented incident response plan. Account disable and session revocation in seconds. 72-hour breach notification per PHIPA.

Network Security

HSTS, Content Security Policy, X-Frame-Options, rate limiting (100/min standard, 10/min strict), CSRF protection on all mutations.

Compliance Documentation

We provide complete security documentation to support your procurement process.

Security Policy Privacy Policy SOC 2 Controls Mapping PHIPA Compliance Statement Privacy Impact Assessment Threat Risk Assessment Data Processing Agreement Incident Response Plan Security Training Policy
Request Security Documentation →