Security & Trust

Security & Trust

How we protect customer data, infrastructure, and privacy.

SOC 2 Type II CertifiedPIPEDA CompliantPHIPA Compliant
256-bitAES Encryption
100%Canadian Data Residency
24/7Continuous Monitoring

At a glance

SJTN Care is SOC 2 Type 2 attested and maintains organizational, technical, and administrative safeguards designed to preserve the confidentiality, integrity, and availability of personal and health information. We use Vanta for continuous monitoring of our controls, maintain a public Trust Center, and comply with Canadian privacy laws including PHIPA and PIPEDA.

Encryption

In transitAll traffic to our services is protected by TLS (HTTPS). We enforce modern TLS configurations and prefer strong cipher suites.
At restSensitive data stored in databases and object stores is encrypted using provider-managed keys (e.g., AWS KMS) or equivalent encryption-at-rest mechanisms.
Key managementAccess to encryption keys is restricted to a small number of authorized systems and personnel using strong access controls and auditing.

Infrastructure & Network Security

We run services in reputable cloud providers with hardened network boundaries, segmented VPCs, and restricted management access.
Host-level protections include OS patching, endpoint protection, and configuration baselining.
Minimal public exposure: only required ports and services are publicly accessible; internal services sit behind private networks.
Regular vulnerability scanning and third-party dependency monitoring are in place.

Access Control & Authentication

Least privilege: We grant the minimum permissions required for users and services.
MFA: Multi-factor authentication is enforced for administrative accounts and all remote access tools.
Identity providers: We integrate with centralized identity providers (SSO) for staff accounts; service accounts are rotated and audited.
Audit logs: Access and administrative actions are logged and retained for investigation and compliance needs.

Secure Development & Change Control

Secure SDLC: developers follow code review, branch protection, and CI pipelines with automated checks.
Static analysis and dependency scanning are run in CI to detect issues early.
Secrets management: application secrets are stored in dedicated secret stores (e.g., HashiCorp Vault or cloud KMS-backed secrets) and not in source code.
Infrastructure as code is used for reproducible, auditable deployments.

Incident Response & Monitoring

We maintain incident response playbooks and a designated incident response team. Key practices include:

Continuous monitoring via logging and alerting systems; alerts are triaged and escalated according to severity.
Formal incident communication channels and templates to notify affected customers and authorities where required by law (e.g., PHIPA and PIPEDA breach notification obligations).
Post-incident reviews to identify root causes and implement corrective actions.

Privacy & Compliance

We take privacy and compliance seriously and align our practices to applicable Canadian laws and recognized security frameworks:

PHIPA (Ontario): We follow rules for collection, use, disclosure and retention of personal health information where applicable.
PIPEDA (Canada): For commercial activities and personal information outside provincially-regulated contexts, we follow PIPEDA principles.
SOC 2 Type 2: SJTN Care holds a SOC 2 Type 2 attestation. Our security, availability, and confidentiality controls have been examined by an independent third-party auditor over a defined audit period. The report is available to customers and prospects under NDA.
Continuous monitoring: We use Vanta to continuously monitor our controls, centralize policy and evidence documentation, and present a public Trust Center for customers and prospects.

Third-Party & Data Handling

We evaluate vendors for security, privacy, and compliance posture before onboarding.
Data processing agreements (DPAs) are used where required and include security commitments and breach notification expectations.
We minimize data retention and apply anonymization or pseudonymization where possible.

Evidence & Documents

SJTN Care Trust Center (Vanta)

Public evidence and artifacts available for customer review:

Security & Compliance Team

To request documents, security questionnaires, or to report an issue: security@sjtn.ca

SOC 2 Type II Certified
Logo

We value your privacy

We use cookies to enhance your experience, analyze site traffic, and personalize content. You can choose which cookies to allow below.