PIPEDA · WCAG 2.1 AA · Canadian data residency

Security and compliance documentation

Everything your IT and procurement teams need to evaluate Paliero against Canadian public sector requirements. For additional documentation supporting a formal security assessment, contact us.

Request full security package

1. Data residency and sovereignty

Where your data lives

All Paliero data is hosted on Supabase infrastructure in the Montreal region (ca-central-1). This includes user accounts and authentication data, all test content created by evaluators, all candidate responses and submissions, all audio recordings and written productions, all grading data and final reports, and all audit logs and administrative records.

No cross-border data transfer

No Paliero data is processed, stored, or transmitted outside Canadian territory under any circumstance. This includes backup systems, redundancy, disaster recovery, and analytics. We do not use any sub-processor that operates outside Canada for data handling.

The U.S. CLOUD Act and why this matters

Many "Canadian" SaaS platforms use U.S.-controlled cloud infrastructure that, despite physical hosting in Canada, exposes data to U.S. jurisdiction under the CLOUD Act of 2018. Paliero uses Supabase's Canadian region with explicit Canadian data residency commitments enforced at the infrastructure level.

2. Encryption

In transit: TLS 1.3 enforced for all connections to Paliero. No fallback to TLS 1.2 or earlier. HSTS (HTTP Strict Transport Security) enabled.

At rest: AES-256 encryption for all data stored in Supabase infrastructure. Postgres-native encryption at rest with keys managed in the Montreal region.

3. Authentication and access control

  • Email/password authentication with strong password requirements
  • Role-based access control (Owner, Manager, Examiner)
  • Multi-tenant data isolation per organization
  • Per-organization custom subdomain
  • Session timeout and automatic logout
  • Single sign-on (SSO) integration available on the institutional roadmap

4. Audit logging

All administrative actions in Paliero are logged with timestamp (ISO 8601, UTC), actor (user ID and email), action type, affected resource, and IP address. Audit logs are retained for the duration of the institutional contract and made available to the account owner on request.

5. Privacy and data handling

PIPEDA compliance

Paliero complies fully with the Personal Information Protection and Electronic Documents Act (PIPEDA). Privacy-by-design principles are applied across the platform.

Data minimization

Paliero collects only the personal information necessary to deliver the service. No demographic data, no behavioral tracking data, no third-party advertising identifiers.

Data subject rights

Candidates have the right to access, correct, and request deletion of their personal information through the institution that administered the test. Account owners can export and delete data on demand through the platform.

Provincial privacy law alignment

Paliero is compliant with major provincial privacy legislation, including Quebec Law 25, Alberta PIPA, and BC PIPA.

6. Sub-processors

Sub-processorPurposeLocation
SupabaseHosting, database, file storageMontreal, QC, Canada
StripePayment processing (institutional plans only)Multiple regions

A complete and updated list of sub-processors is available on request as part of the procurement documentation package.

7. Accessibility

Paliero meets the Web Content Accessibility Guidelines (WCAG) 2.1 Level AA. The platform is aligned with the standards of the Treasury Board of Canada Secretariat and the Accessible Canada Act (2019).

8. Business continuity and disaster recovery

  • Automated daily backups stored in the Canadian Supabase region
  • Point-in-time recovery for the database
  • Documented disaster recovery procedure
  • 99.5% uptime target on institutional plans

9. Vulnerability management

  • Regular security updates applied to all infrastructure components
  • Dependency monitoring for known vulnerabilities (CVE)
  • Responsible disclosure program for security researchers

10. How to request a security review

For institutions conducting a formal Security Assessment and Authorization (SA&A), Business Impact Assessment (BIA), or Privacy Impact Assessment (PIA), contact us to request the full documentation package, which includes:

  • Architecture diagrams
  • Data flow documentation
  • Sub-processor list with data handling roles
  • Encryption and access control documentation
  • Audit logging specifications
  • Incident response procedures
  • Data Processing Addendum (DPA) for signature

Need the full documentation package?

We provide architecture diagrams, data flow documentation, BIA materials, and a Data Processing Addendum on request for institutions conducting formal security reviews.

Request the package