Information Security Policy
Security governance, acceptable use, device standards, access control, incident response, and responsibilities.
Request accessAnitarian is built for legal, healthcare, financial, government, and defence teams handling sensitive Canadian data. This page summarizes our current security posture, compliance program, subprocessors, and requestable documentation.
Security and privacy controls are mapped against the frameworks Canadian buyers ask for most often.
| Framework | Status | Scope |
|---|---|---|
| PIPEDA | Aligned | Consent, purpose limitation, retention, access, breach handling, and accountability controls. |
| Quebec Law 25 | Aligned | Privacy impact assessments, automated decision transparency, data minimization, and breach records. |
| CPCSC / defence procurement | Ready | Canadian hosting, audit trails, controlled access, vulnerability management, and procurement documentation. |
| SOC 2 Type II | In progress | Controls implemented and evidence collection maintained; formal audit targeted after production observation period. |
| ISO 27001 | Mapped | Policies and control owners mapped for future certification and enterprise due diligence. |
| PCI DSS | Not applicable to Anitarian systems | Payment card data is not stored, processed, or transmitted by Anitarian application infrastructure. |
Public documents are linked directly. Restricted documents are available to customers and qualified prospects under NDA.
Security governance, acceptable use, device standards, access control, incident response, and responsibilities.
Request accessLeast-privilege access, MFA, quarterly access reviews, role assignment, and offboarding procedures.
Request accessSeverity levels, escalation paths, customer notification, regulator notification, and post-incident review.
Request accessBackup, recovery, service continuity, disaster recovery testing, and critical supplier review.
Request accessCustomer data handling terms, subprocessors, retention, deletion, confidentiality, and support obligations.
Request accessHow Anitarian collects, uses, retains, and protects personal information.
View policyOperational controls are designed for teams that need auditability, data residency, and disciplined change management.
MFA, role-based permissions, least privilege, documented access approvals, and scheduled access reviews.
TLS 1.3 in transit and AES-256 at rest for customer content, databases, backups, and sensitive operational records.
Administrative activity, authentication events, system changes, and data access events are logged for review and evidence.
Dependency scanning, patch triage, production hardening, remediation SLAs, and third-party testing for critical surfaces.
Customer prompts, documents, outputs, embeddings, and metadata are processed and stored on Canadian infrastructure.
No customer-data training, source-aware outputs where applicable, human review workflows, and documented model-use boundaries.
Subprocessors are limited to services required to operate, secure, and support the platform. Customer AI content stays within the Canadian data path unless a customer separately approves an exception.
| Provider | Purpose | Data location | Commitments |
|---|---|---|---|
| Anitarian infrastructure | Core application hosting, inference, storage, and logs. | Canada | Canadian-owned, Canadian-operated, no customer-data training. |
| GitHub | Source control, issue tracking, deployment evidence, and engineering workflow. | United States / global | SOC 2, access controlled, no customer prompts or documents stored by default. |
| Google Workspace | Business email, calendar, document collaboration, and customer support communication. | Canada / United States / global | Enterprise security controls, MFA, contractual privacy commitments. |
| Stripe | Payment processing for subscriptions and invoices. | United States / global | PCI DSS; card data does not enter Anitarian systems. |
We can provide the trust documentation, compliance mapping, and technical answers your review team needs.