AIA Simplified

Security Practices

Effective Date: March 8, 2026 · Last Updated: March 8, 2026

AIA Simplified is designed for government and public sector use. Security and data sovereignty are architectural constraints, not optional features. This page describes the technical and organizational safeguards we maintain to protect Customer Data.

1. Data Residency

All Customer Data is stored and processed in Canada, in compliance with the Treasury Board of Canada's Direction on Prescribed Positions (ITPIN 2017-02) on electronic data residency. We do not store Customer Data outside Canada during normal operations.

Certain limited Account Data, such as name and email address, may be processed outside Canada by transactional email providers for delivery of invitations, password resets, and similar operational messages. If we introduce any feature that would require Customer Data to be processed outside Canada, we will provide notice in advance.

2. Encryption

2.1 Encryption at Rest

All Customer Data stored in our databases and object storage is encrypted at rest using AES-256.

2.2 Encryption in Transit

All communications between clients and our services are encrypted in transit using TLS 1.3. Unencrypted connections are rejected.

3. Access Controls

3.1 Role-Based Access Control

The Service enforces organization-scoped, role-based access controls. Each Authorized User is assigned a role that determines what they can view, create, edit, approve, and export. Role assignments are managed by the Customer's designated administrators.

3.2 Separation of Duties

Approval workflows enforce separation of duties at the application level. A user who submits an assessment for approval cannot approve that same assessment. This control is enforced by the Service and cannot be bypassed through the user interface.

3.3 Export Integrity Controls

Draft responses and approved responses are maintained separately. Only approved answers appear in exported reports. This ensures that exported artifacts reflect a completed, reviewed compliance record.

4. Authentication

The Service supports single sign-on (SSO) via SAML 2.0 and OIDC-compatible identity providers. Customers may configure session timeout policies and sign-in restrictions through their identity provider. Each Authorized User must have a unique account; shared logins are not permitted.

5. Audit Logging

The Service maintains immutable, append-only audit logs of significant actions taken within the platform, including assessment submissions, approvals, user management changes, and data exports. Audit logs cannot be edited or deleted by any user, including administrators. Audit log records form part of Customer Data and are available to the Customer.

6. Infrastructure Security

Our infrastructure is hosted on cloud providers with Canadian data centre locations. We apply the following controls:

  • network segmentation and private networking for internal services
  • automated vulnerability scanning and dependency monitoring
  • intrusion detection and security event monitoring
  • regular automated backups with tested recovery procedures
  • principle of least privilege for all internal service accounts and personnel access

7. Backup and Recovery

Customer Data is backed up regularly. Backups are encrypted and stored in Canada. We maintain and test recovery procedures to support restoration of Customer Data in the event of a system failure. Recovery time and recovery point objectives are available on request.

8. Security Incident Response

We maintain an internal security incident response process. If we confirm unauthorized access to Customer Data caused by a security incident affecting the Service, we will notify the affected Customer without undue delay. Notification will include available details about the nature of the incident, the categories of data affected, and the remediation steps taken.

9. Personnel and Internal Access

Access to production systems and Customer Data is restricted to a limited number of authorized personnel. All access is logged. We do not access Customer Data except as necessary to provide support, investigate issues, maintain the Service, comply with law, or protect the security of the Service.

10. Subprocessors

We use a limited number of subprocessors for infrastructure, authentication, email delivery, and monitoring. All subprocessors are subject to contractual data protection obligations. A list of subprocessors is available on request.

11. Contact

For security questions or to report a vulnerability:
AIA Simplified — Security
Email: security@aia-simplified.com
Website: aia-simplified.com

For privacy-related questions, see our Privacy Policy. For terms governing use of the Service, see our Terms of Service.