Security & Compliance Hub.
One page for the people who ask the hardest questions. Procurement, security, and grant reviewers should leave knowing exactly how we work and where our limits are.
Your data stays where you put it.
We default to deploying inside your VPC, your on-prem cluster, or your sovereign cloud. That is not a feature, it is the design. If a project needs your data to cross a sovereignty boundary we say so up front, and if that is a hard no we recommend a firm that handles it better.
Canadian residency
Protected B ready environments in Canadian data centres. AWS Canada Central, Microsoft Azure Canada Central, Google Cloud Montréal. We also stand up federal on-prem when the workload demands it.
US residency
HIPAA-aligned environments in US regions only. AWS us-east-1 and us-west-2, Azure East US, Google Cloud us-central1. We design with FedRAMP in mind when the buyer is preparing for it.
Bilingual controls
EN and FR in audit logs, not just in the UI. Cross-border replication is opt-in, never default, and the data classification taxonomy is agreed at kickoff so there is no ambiguity later.
The frameworks your security team will ask about, mapped to what we ship.
We do not chase every certification. We pick the ones our buyers actually need and we move on them in public. Here is where we are today.
SOC 2 Type II readiness
Control set authored against the AICPA Trust Service Criteria. Auditor identified, evidence collection underway. We can share a pre-audit attestation under NDA today.
ISO/IEC 27001 trajectory
Information Security Management System scope defined, Statement of Applicability drafted, certification audit booked for Q4 2026.
ISO/IEC 42001 (AI management)
AI lifecycle controls modelled on the world’s first AI management standard. A risk register lives with every model deployment we ship.
NIST AI Risk Management Framework
Govern, Map, Measure, Manage. Documented per engagement. Stanza-46 produces the artifacts so this becomes manageable at scale rather than an end-of-project scramble.
PIPEDA & provincial privacy
Privacy Impact Assessment template, Records of Processing, breach notification SLAs. All documented per engagement.
HIPAA & PHIPA
BAA-ready in the US. PHIPA-compliant in Ontario. Provincial health authority residency requirements mapped to the deployment topology.
Replayable by design, not by add-on.
Every agent we ship records a complete Replay Envelope: Context Object, Model State, Policy State, Environment State. Compliance can reconstruct any decision in minutes, with the exact prompt version, model card, and data context that produced it.
Data does not train the model
Self-hosted models or zero-data-retention API tiers only. Customer data never flows into training pipelines. Vendor contracts enforce this in writing.
Prompt injection defence
Output validators, structured tool calls, schema-enforced responses, content filters. Defence in depth, modelled on the OWASP LLM Top 10.
Humans stay in the loop
Confidence-graded outputs with default-refuse on uncertainty. Escalation queues sized to the regulatory risk of the decision class.
The paperwork that lets us pursue serious work.
Two million dollars aggregate
Errors and omissions, general liability, and cyber coverage through Tokio Marine HCC and CFC. The upgrade to five million is already in motion for federal and enterprise pursuits.
Legal counsel
DLA Piper LLP in both jurisdictions. NDA and MSA templates pre-redlined. Indemnity, IP, and data-use clauses reviewed quarterly.
Ready for procurement-grade scrutiny.
SOC 2 evidence packets, Privacy Impact Assessment templates, certification roadmaps, and architecture diagrams sit ready behind NDA. Book a secure consultation and we will share the relevant subset within 48 hours.