Loading...
Skip to main content
Zero Trust
Network Architecture
AES-256-GCM + ChaCha20
Dual-Algorithm Encryption
Transit Encryption
Data in Transit Controls
Key Management
Managed Encryption Keys
SOC 2
Controls Mapping Available
PIPEDA
Privacy Framework Alignment
Canadian
Data Residency
UEBA
Behavioral Analytics
Security Architecture
Defense-in-Depth Security Model
Encryption
✓Dual-algorithm authenticated encryption: AES-256-GCM for field-level PII (39 sensitive data categories, 3× expanded coverage) and ChaCha20-Poly1305 for credential vaulting
✓Transport encryption controls for data in transit
✓Managed key lifecycle controls with documented rotation procedures
✓Field-level AES-256-GCM encryption across 39 sensitive data categories — identity, financial, credential, and personal information fields
✓Dedicated secrets vault — no credentials in application code or logs
✓Automated encryption key rotation on documented schedule
✓Cipher suite selection managed by hosting infrastructure security baselines
Zero Trust Access Control
✓Zero Trust model: every request verified regardless of network origin
✓Role-based access control (RBAC) with least-privilege enforcement across platform and organization roles
✓Single Sign-On via SAML 2.0 and OpenID Connect (OIDC)
✓Multi-factor authentication (MFA) enforced for all user types
✓Step-up authentication controls for sensitive access scenarios
✓Extensible authentication architecture for additional enterprise factors
✓Automatic session expiry after configurable inactivity period
✓Quarterly access review process for all privileged accounts
Audit & Behavioral Monitoring
✓Tamper-evident, hash-chained audit trails for tracked security and governance events
✓Behavioral anomaly detection for suspicious access and activity patterns
✓Real-time security event monitoring with automated alerting
✓Cryptographically verifiable audit-chain integrity checks
✓Baseline and threshold monitoring — significant deviations trigger review workflows
✓Full audit log export for external SIEM integration
✓Real-time webhook notifications for security and access events
✓Automated threat response: account lockout on anomalous activity
Application Security
✓Secure SDLC practices include peer review and pre-release testing controls
✓Automated vulnerability scanning is integrated into delivery and release workflows
✓Security headers: CSP, HSTS, X-Frame-Options, X-Content-Type-Options
✓Rate limiting and brute-force protection on authentication endpoints
✓Runtime monitoring and alerting for suspicious application activity
✓Credential hygiene controls and secret scanning in operational security workflows
✓Independent security assessments and remediation tracking are part of the security program
✓Input validation and output encoding throughout the application layer
Supply Chain Security
✓Software Bill of Materials (SBOM) generation supported for release workflows
✓Dependency pinning and automated upstream vulnerability alerts
✓Release provenance and artifact-signing controls are supported by delivery architecture
✓Third-party sub-processor selection follows defined security review criteria
✓Vendor security review before any new integration is approved
✓Open source license compliance review included in dependency governance process
Data Loss Prevention
✓Content inspection on all data egress paths
✓Classification-based access controls — Restricted data requires elevated authorization
✓Data exfiltration detection — bulk export anomalies trigger review
✓Configurable retention policies aligned with Canadian and US regulatory obligations
✓Right-to-erasure implementation — PII deletion within 30 days of verified request
✓Cross-tenant isolation enforced at database access and tenant-scoping layers
Zero Trust Architecture
Never Trust. Always Verify.
TrueNorth WCI™ enforces Zero Trust at every layer. No request is inherently trusted — every access decision is identity-verified, context-evaluated, and least-privilege enforced, regardless of network origin or session state.
01
Identity Verification
Every request is authenticated against a verified identity. MFA and SSO via SAML 2.0/OIDC validate context before access is granted. No implicit trust from prior sessions.
02
Least-Privilege Enforcement
Authorization is computed per-request against RBAC policies spanning platform and organization roles. Users receive the minimum permissions required for the specific action. Privilege escalation requires explicit re-authentication.
03
Microsegmentation
Each tenant's data is isolated through database scoping, tenant-aware application logic, and key-management controls. Cross-tenant access is blocked by design and enforcement controls. Sub-processor traffic is restricted to verified encrypted channels.
04
Continuous Validation
Sessions are evaluated against behavioral and threshold-based controls. Anomalous access patterns can trigger additional verification or session controls. Security monitoring remains continuous — trust is never assumed, always re-earned.
Data Residency
Canadian Data Sovereignty
For Canadian organizations, data residency is not a preference — it is frequently a regulatory requirement. TrueNorth WCI™ is designed to meet these obligations by default.
Primary Infrastructure
Canadian deployments are configured for Canadian data residency objectives, including regional infrastructure controls for application and data services.
Data Isolation
Each organization operates within a logically isolated tenant environment. Data is segregated at the database level with tenant-scoped access controls and encryption safeguards.
Cross-Border Considerations
For US-based organizations, deployment and data handling are configured to meet applicable US data protection requirements. Cross-border data transfers follow documented contractual controls where required.
Privacy Compliance
Multi-Jurisdiction Privacy Framework
| Framework | Jurisdiction | Platform Alignment |
|---|---|---|
| PIPEDA | Canada (Federal) | Consent management, data minimization, breach notification, right of access, data portability |
| CPPA (Bill C-27) | Canada (Proposed) | Designed to accommodate anticipated requirements including algorithmic transparency and enhanced consent |
| Provincial Privacy Acts | AB, BC, QC | Substantially similar legislation compliance for Alberta (PIPA), British Columbia (PIPA), and Quebec (Law 25) |
| CCPA / CPRA | California, USA | Consumer rights, data deletion, opt-out mechanisms, and privacy notice requirements |
| State Privacy Laws | Various US States | Coverage references include Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and subsequent state frameworks |
| GDPR Principles | International | Data export, right to erasure, consent management, and data processing records — aligned with GDPR principles for multinational clients |
Business Continuity
Disaster Recovery & Continuity Planning
Recovery Objectives
✓Documented Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
✓Automated database backups with geographic redundancy
✓Point-in-time recovery capability for database restoration
✓Regular DR testing and documented results
Incident Response
✓Formal incident response plan with defined roles and responsibilities
✓Documented procedures for containment, eradication, and recovery
✓Breach notification procedures aligned with PIPEDA and state breach notification laws
✓Post-incident review and remediation documentation
Operational Resilience
✓Multi-availability-zone deployment architecture
✓Automated failover for critical platform components
✓Defined SLA for system uptime and performance
✓Continuous monitoring with automated alerting for service degradation
Certifications & Standards
Compliance Framework Alignment
SOC 2 Type II
Architecture aligned with AICPA Trust Services Criteria across Security, Availability, Confidentiality, Processing Integrity, and Privacy. Formal audit in progress.
ISO 27001
Information security management controls aligned with ISO 27001 Annex A — including A.10 (Cryptography), A.9 (Access Control), and A.12 (Operations Security).
FIPS 140-3
Cryptographic key-management controls are designed to align with FIPS 140-3 expectations where applicable to deployment environments and managed key services.
PIPEDA
Platform controls are designed and mapped against Canada's Personal Information Protection and Electronic Documents Act principles, including consent, data minimization, breach notification, and right of access.
WCAG 2.1 AA
Platform accessibility is designed to align with Web Content Accessibility Guidelines Level AA across public-facing and authenticated interfaces.
Zero Trust (NIST SP 800-207)
Zero Trust Architecture implementation aligned with NIST SP 800-207 principles: verify explicitly, use least-privilege access, and assume breach at every layer.
Threat Intelligence
Advanced Threat Detection & Response
Behavioral analytics and threshold-based detection continuously profile activity patterns and surface anomalies before they become incidents.
UEBA & Behavioral Baselines
✓Behavioral and threshold-based monitoring for user and account activity
✓Anomalous login failures and suspicious access patterns trigger alerts
✓Rate-limit and brute-force anomaly signals are tracked and escalated
✓Dormant privileged-account detection supports periodic access hardening
✓Bulk export and unusual activity patterns can trigger review workflows
Automated Incident Response
✓Automated account lockout on brute-force or credential-stuffing detection
✓Session controls support rapid containment for confirmed account compromise
✓Security event webhooks support downstream SIEM and GRC integrations
✓Severity-tiered alert routing supports faster triage and escalation
✓Audit-log exports support incident investigation and forensic review
✓Documented incident workflows track remediation actions and outcomes
Vulnerability Management
✓Automated dependency audits are integrated into security operations
✓CVE monitoring with risk-based vulnerability remediation targets
✓SBOM generation and publication are supported by release workflows
✓Independent security testing and remediation tracking are part of the program
✓Security-focused regression testing is incorporated into release quality gates
Whistleblower Security
Zero-PII Anonymous Reporting Architecture
The TrueNorth WCI™ whistleblower system is designed for structural anonymity in the application layer. Reports are submitted through an anonymous channel that avoids collecting direct reporter identity fields, session linkage, and device-fingerprint telemetry in the submission workflow. This design reduces re-identification risk and supports defensible confidentiality controls for sensitive reporting.
No PII collected
No direct reporter identity fields
No device fingerprinting
No session correlation
Timestamped investigation trails
Discovery-resistant by design
Security Questions or Procurement Requirements?
Our team can provide detailed security documentation, SOC 2 alignment documentation, data processing agreements, and responses to vendor security questionnaires.
© 2026 TrueNorth Workforce Compliance Intelligence Inc. All rights reserved. TrueNorth WCI™ is a registered trademark. Patent pending. Security certifications and compliance alignments described on this page represent the architectural design targets and operational practices of the platform. Specific certification status and audit reports are available upon request under NDA. This page does not constitute a contractual commitment. Actual security controls are governed by the applicable Master Services Agreement.