Security & Compliance
Last updated: May 2026
HPO Canada is architected for the most security-sensitive deployments in Canadian enterprise, government, and healthcare. This page summarises our current compliance posture, technical controls, and data-sovereignty options. For detailed audit reports, penetration test summaries, or a signed NDA-backed security questionnaire, contact gurbachan@hpocanada.com.
Current compliance posture
Compliant means our policies, controls, and data-handling practices are aligned with the framework’s published requirements and we will cooperate with customer audits.
Aligned means our controls map to the framework but we have not yet completed third-party certification.
In Progress means we are actively working with auditors toward formal certification; estimated completion timelines are available on request.
Encryption
- At rest: AES-256 via AWS KMS or Google Cloud KMS customer-managed keys. Customers may supply their own keys (BYOK).
- In transit: TLS 1.3 on all network traffic between clients, APIs, and data stores.
- Backups: encrypted with the same KMS-managed keys and stored in region-appropriate backup tiers.
- Vector embeddings: stored in a separate, access-controlled index; embeddings cannot be reversed into source document text without the matching access token.
Access control
- Zero-trust architecture — every request is authenticated and authorised.
- Permission-Aware Management (PAM) — access policies are enforced at retrieval time, before any content reaches the AI model. Users only receive answers drawn from documents they are authorised to see.
- Identity federation — SAML 2.0 and OpenID Connect with Azure AD, Okta, Google Workspace, and LDAP.
- RBAC + ABAC — role-based and attribute-based access controls, with optional customer-defined attribute rules.
Audit logging
- Every query, document retrieved, and answer generated is logged with user ID, timestamp, access level, and source document citations.
- Logs are written to tamper-evident storage.
- Retention is configurable; default is seven (7) years to meet common regulatory requirements.
- Customer administrators can export logs via a signed API or streaming endpoint.
AI model safety
- RAG-first: answers are grounded in Customer documents. Answers include citations to source text; uncited answers are rejected.
- No training on Customer Data: Customer content is never used to train third-party foundation models.
- Local-model option: customers requiring full data sovereignty can run on their own infrastructure using Llama 3, Mistral, or any GGUF-compatible model.
Data sovereignty options
- Canada-only: data resides in AWS Canada (Central or West) or Google Cloud Montreal / Toronto regions; AI inference via Canadian-region Vertex AI, Bedrock, or on-prem local models.
- EU-only: AWS Frankfurt / Google Cloud Frankfurt or Paris for GDPR-covered workloads.
- On-premises / air-gapped: full stack deployed inside the customer’s network; no outbound connectivity required.
Infrastructure security
- Hardened, minimal container images; no SSH into production workloads.
- Private networking; public endpoints protected by Web Application Firewall (WAF) and DDoS mitigation.
- Secrets managed via AWS Secrets Manager or Google Secret Manager with automated rotation.
- Dependency scanning, SAST, and container image scanning in the build pipeline.
Incident response
HPO Canada maintains a documented incident-response playbook covering detection, containment, eradication, recovery, and customer notification. Material security incidents are communicated to affected customers within 72 hours of confirmation, per GDPR Article 33 and PIPEDA breach-notification guidance.
Sub-processors
Our current sub-processor registry is available on request under NDA and includes Amazon Web Services, Google Cloud, and Pinecone. Updates are announced in advance via our service-status page.
Security contact
Report a vulnerability or request a security review at gurbachan@hpocanada.com. We support encrypted email via PGP on request.