Security & Trust

At a glance

SJTN Care is committed to protecting personal and health information. We maintain organizational, technical, and administrative safeguards designed to preserve confidentiality, integrity, and availability of data. We use Vanta to continuously monitor our controls and to present a Trust Center for customers and prospects. We do not currently hold SOC 2 certification, but we follow Canadian health and privacy rules such as PHIPA and PIPEDA.

Encryption

In transitAll traffic to our services is protected by TLS (HTTPS). We enforce modern TLS configurations and prefer strong cipher suites.

At restSensitive data stored in databases and object stores is encrypted using provider-managed keys (e.g., AWS KMS) or equivalent encryption-at-rest mechanisms.

Key managementAccess to encryption keys is restricted to a small number of authorized systems and personnel using strong access controls and auditing.

Infrastructure & Network Security

We run services in reputable cloud providers with hardened network boundaries, segmented VPCs, and restricted management access.

Host-level protections include OS patching, endpoint protection, and configuration baselining.

Minimal public exposure: only required ports and services are publicly accessible; internal services sit behind private networks.

Regular vulnerability scanning and third-party dependency monitoring are in place.

Access Control & Authentication

Least privilege: We grant the minimum permissions required for users and services.

MFA: Multi-factor authentication is enforced for administrative accounts and all remote access tools.

Identity providers: We integrate with centralized identity providers (SSO) for staff accounts; service accounts are rotated and audited.

Audit logs: Access and administrative actions are logged and retained for investigation and compliance needs.

Secure Development & Change Control

Secure SDLC: developers follow code review, branch protection, and CI pipelines with automated checks.

Static analysis and dependency scanning are run in CI to detect issues early.

Secrets management: application secrets are stored in dedicated secret stores (e.g., HashiCorp Vault or cloud KMS-backed secrets) and not in source code.

Infrastructure as code is used for reproducible, auditable deployments.

Incident Response & Monitoring

We maintain incident response playbooks and a designated incident response team. Key practices include:

Continuous monitoring via logging and alerting systems; alerts are triaged and escalated according to severity.

Formal incident communication channels and templates to notify affected customers and authorities where required by law (e.g., PHIPA and PIPEDA breach notification obligations).

Post-incident reviews to identify root causes and implement corrective actions.

Privacy & Compliance

We take privacy seriously and align our practices to applicable Canadian laws:

PHIPA (Ontario): We follow rules for collection, use, disclosure and retention of personal health information where applicable.

PIPEDA (Canada): For commercial activities and personal information outside provincially-regulated contexts, we follow PIPEDA principles.

Third-party assessments: We use Vanta to monitor controls, centralize documentation, and present a Trust Center for customers.

Note on certifications: We currently do not hold a SOC 2 report; we are working toward formalized audits and continuously improve our posture.

Third-Party & Data Handling

We evaluate vendors for security, privacy, and compliance posture before onboarding.

Data processing agreements (DPAs) are used where required and include security commitments and breach notification expectations.

We minimize data retention and apply anonymization or pseudonymization where possible.

Evidence & Documents

Public evidence and artifacts available for customer review:

SJTN Care Trust Center (Vanta)Security controls, policies, and system status in real time

Privacy policyOur commitments to handling personal information

DPA and security documentation (upon request)Available for customers under NDA or during onboarding