Security and trust, documented end-to-end.
Everything enterprise procurement, security, and legal teams need — security posture, regulatory compliance, insurance, and subprocessors.
Six controls that protect every engagement.
Data security
AES-256 encryption at rest and TLS 1.3 in transit. Encrypted password managers. Zero-shared-credential policy. Hardware security keys for all team members with client data access.
Data residency
Canadian residency available by default — AWS Canada Central and Google Cloud Northamerica-Northeast1. On-prem and private cloud supported for regulated engagements.
Compliance posture
PIPEDA-compliant by default. PHIPA-aware for healthcare. AI governance aligned to Canadian AIDA framework. We answer standard CAIQ, SIG, and SOC-equivalent questionnaires.
People controls
Background checks for every team member with client-data access. NDA-bound by default. Mandatory annual security training. Role-based access via SSO with MFA.
Vendor management
Standard subprocessor list maintained and updated. Vendor risk reviews for every tool with client-data access. DPA available with all clients.
Insurance
Commercial general liability, professional liability (errors & omissions), and cyber liability insurance maintained. Certificates of insurance available on request.
Compliance across Canadian and international frameworks.
We work in regulated industries every day — and we structure engagements to meet the relevant framework from day one.
| Framework | Category | SAZ posture |
|---|---|---|
| PIPEDA (Personal Information Protection and Electronic Documents Act) | Canadian privacy law | Compliant by default |
| PHIPA (Personal Health Information Protection Act) | Ontario healthcare | Healthcare engagements |
| HIA / Alberta Health Information Act | Alberta healthcare | Healthcare engagements |
| OSC / IIROC / CIRO | Financial regulation | Financial services engagements |
| Provincial Law Society Rules | Legal sector | Legal engagements |
| AIDA (Artificial Intelligence and Data Act) | Canadian AI law | AI governance aligned |
| GDPR (General Data Protection Regulation) | EU privacy law | EU-data engagements |
| CCPA / CPRA | US privacy law | California-data engagements |
How we deploy AI safely.
AI systems we ship to production are governed, evaluated, and supported — not pilots that hallucinate in the dark.
- Zero-retention AI endpoints by default — your prompts and data are never used for training
- Private VPC deployments available for regulated industries
- Production AI systems ship with monitoring, evals, and audit logs
- Human-in-the-loop checkpoints on consequential AI actions
- AI governance framework aligned to AIDA, ISO/IEC 42001, and NIST AI RMF
Tools that handle client data.
Maintained list of every third-party that handles client data on our behalf.
| Subprocessor | Purpose | Data residency |
|---|---|---|
| Amazon Web Services | Cloud infrastructure | Canada (ca-central-1) |
| Google Cloud | Cloud infrastructure | Canada (northamerica-northeast1) |
| Anthropic | LLM API (Claude) | Enterprise zero-retention |
| OpenAI Enterprise | LLM API (GPT) | Enterprise zero-retention |
| 1Password | Password & secrets management | Canada |
| Resend | Transactional email | US |
| Vercel | Web hosting | Multi-region |
| Stripe | Payment processing | Multi-region |
Need a custom security review?
For enterprise engagements, we provide custom security documentation, sign your DPA / MSA, complete your CAIQ / SIG questionnaire, and walk through your procurement process. Reach out and we\'ll respond within one business day.
Need a copy of our insurance or DPA?
Request directly: info@Sedighi.ca or call (604) 632-4959.