Security & Compliance
Your organization handles sensitive employee data. We built Pryvera with security as the foundation, not an afterthought.
Personal Health Information Protection Act (Ontario). 72-hour breach notification, access controls, and audit retention aligned to PHIPA requirements.
Personal Information Protection and Electronic Documents Act (Canada). Data handling, consent, and access rights aligned to PIPEDA fair information principles.
Pryvera is built for Canadian public-sector reporting and regulatory requirements. Canadian municipalities operate under a distinct compliance stack; Pryvera addresses it natively rather than through customization.
Public Sector Accounting Board reporting. Financial statements produced in PS 1201 / PS 3150 format. Tangible capital asset accounting to Canadian public-sector standards.
Account balances mapped to current-year Financial Information Return schedule codes. One-click export for the annual provincial return.
Internal controls and segregation of duties configured to support s.296–297 statutory audit requirements. Configurable approval workflows.
Municipal Freedom of Information and Protection of Privacy Act. Audit log retains access and change history per MFIPPA retention requirements. FOI request extract and redaction workflow supported.
Public Sector Salary Disclosure Act. Reporting module supports annual salary disclosure filings.
SIN and banking data encrypted with bank-grade encryption before database storage. TLS 1.2+ enforced for all data in transit. Database connections use SSL.
Every organization gets a completely separate PostgreSQL database. No shared tables. Your data is physically isolated from all other tenants.
All data hosted exclusively in AWS ca-central-1 (Montreal). No data ever leaves Canadian borders. Backups stored in Canada.
9 granular roles with deny-by-default authorization. Every API route secured. Permission checked on every request. Audit logged.
Azure AD SSO with MFA or built-in TOTP (Authy, Google Authenticator compatible). Account lockout after 5 failed attempts.
Every create, update, and delete operation logged with user, timestamp, and IP. Security events tracked separately. 7-year retention.
Documented incident response plan. Account disable and session revocation in seconds. 72-hour breach notification per PHIPA.
HSTS, Content Security Policy, X-Frame-Options, rate limiting (100/min standard, 10/min strict), CSRF protection on all mutations.
We provide complete security documentation to support your procurement process.