Legal

    Security Overview

    Version 1.1 · Effective April 18, 2026 · 2845341 Ontario Inc.

    Effective Date: April 18, 2026
    Version: 1.1
    Company: 2845341 Ontario Inc. (VocaIQ)

    This Security Overview describes the technical and organisational measures 2845341 Ontario Inc. (trading as VocaIQ) employs to protect Customer data and maintain the integrity, availability, and confidentiality of the VocaIQ platform. This document is provided for informational purposes and supplements our Data Processing Addendum (Section 7 - Technical and Organisational Measures) and Privacy Policy. Security measures are reviewed and updated on an ongoing basis; this document reflects our posture as of the effective date above.

    1. Encryption

    1.1 Encryption in Transit

    All data transmitted between end users, the VocaIQ platform, and our infrastructure is encrypted using TLS 1.3 (Transport Layer Security). Legacy TLS 1.0 and 1.1 protocols are disabled. HTTP connections are automatically redirected to HTTPS. All API communications with subprocessors use TLS 1.2 or higher.

    1.2 Encryption at Rest

    All data stored in the VocaIQ database and file storage is encrypted at rest using AES-256 (Advanced Encryption Standard, 256-bit keys). Encryption keys are managed by Supabase's key management service with hardware security module (HSM) backing where available. Database backups are encrypted using the same standards.

    1.3 Application-Level Encryption

    Sensitive fields such as integration API keys and OAuth tokens are additionally encrypted at the application level before being written to the database, providing defence in depth beyond storage-layer encryption.

    2. Access Controls and Multi-Factor Authentication

    2.1 Customer Access Controls

    VocaIQ implements role-based access controls (RBAC) within the platform. Customers can assign roles (e.g., admin, viewer) to team members, limiting access to sensitive configuration and call data based on the principle of least privilege.

    2.2 Multi-Factor Authentication (MFA)

    Multi-factor authentication is available to all Customers and is strongly recommended. MFA is mandatory for all 2845341 Ontario Inc. internal personnel with access to production systems and Customer data.

    2.3 Internal Access Controls

    • Production system access is restricted to authorised personnel with a documented business need.
    • Administrative access is reviewed quarterly; access is revoked immediately upon role change or departure.
    • All privileged access sessions are logged in tamper-resistant audit logs.
    • Engineers use separate development and production environments; no direct human access to production data is permitted except for breach investigation or legal obligation.

    2.4 Authentication Infrastructure

    User authentication is managed by Supabase Auth, which supports email/password authentication, magic links, and OAuth 2.0 social sign-on. Passwords are hashed using bcrypt with a work factor appropriate to current computational capabilities. Session tokens are short-lived and rotated on re-authentication events.

    3. Data Segregation - Multi-Tenant Architecture

    VocaIQ operates a multi-tenant architecture using Supabase as the database layer. Customer data segregation is enforced through Row-Level Security (RLS) policies applied at the database level. This ensures that queries executed on behalf of one Customer organisation cannot return or modify data belonging to another Customer, even if application-level controls are circumvented. RLS policies are reviewed whenever schema changes are made to the data model.

    4. Incident Response

    4.1 Internal Response Targets

    • Detection-to-assessment: Target 24 hours from initial indicator to confirmed or ruled-out incident.
    • Containment: Immediate containment steps initiated within 4 hours of confirmed incident.
    • Eradication and recovery: Target restoration of affected systems within 24-72 hours depending on severity.

    4.2 Notification - GDPR / PIPEDA

    In the event of a personal data breach, 2845341 Ontario Inc. will notify affected Customers within 72 hours of becoming aware of the breach, consistent with GDPR Article 33 requirements. Notifications will include the information described in our Data Processing Addendum (Section 8). Customers are responsible for notifying their own data subjects and supervisory authorities as required by applicable law.

    4.3 Incident Log

    All security incidents are documented in an internal incident log, including severity classification, timeline, root cause analysis, and remediation steps. Post-incident reviews are conducted for all high-severity incidents to prevent recurrence.

    5. Backup and Recovery

    • Backup frequency: Automated encrypted database backups are taken daily.
    • Backup retention: Backups are retained for 30 days in encrypted storage.
    • Backup testing: Backup restoration is tested quarterly to validate recovery capability.
    • Recovery time objective (RTO): Target RTO of 4 hours for critical platform components.
    • Recovery point objective (RPO): Target RPO of 24 hours (reflecting daily backup frequency).
    • Geographic redundancy: Backup copies are stored in a geographically separate region from primary data.
    • Post-termination: Customer data backups are purged within 90 days of account termination.

    6. Penetration Testing and Vulnerability Management

    6.1 Annual Penetration Testing

    2845341 Ontario Inc. conducts or commissions independent third-party penetration testing at least annually, covering the application layer, API endpoints, and infrastructure. Findings are triaged by severity and remediated according to our vulnerability management policy (critical within 24 hours, high within 7 days, medium within 30 days).

    6.2 Continuous Vulnerability Scanning

    Automated dependency scanning and static code analysis are run on every code change to identify known vulnerabilities (CVEs) in third-party libraries and platform code. Container images are scanned before deployment.

    6.3 Vulnerability Disclosure Program

    We welcome responsible disclosure of security vulnerabilities by independent researchers - see Section 9 below for the reporting process and our commitments.

    7. Compliance Roadmap

    7.1 SOC 2

    2845341 Ontario Inc. is working toward SOC 2 Type I certification, which will formally validate our security controls against the AICPA Trust Services Criteria (Security, Availability, and Confidentiality). We target completion within our current roadmap period. Enterprise Customers requiring a current SOC 2 report should contact us to discuss availability or alternative assurance documentation.

    7.2 HIPAA Business Associate Agreement (BAA)

    VocaIQ can execute a HIPAA Business Associate Agreement with Customers operating in U.S. healthcare contexts where the Services involve Protected Health Information (PHI). HIPAA BAAs are available to Enterprise-tier Customers. Contact [email protected] to request a BAA.

    7.3 PIPEDA and GDPR

    Our data processing practices are designed to comply with PIPEDA (Canada) and GDPR (EU/UK). Our Data Processing Addendum at /legal/data-processing-addendum sets out GDPR Article 28 compliant terms for Customers whose data subjects are located in the EU or UK.

    8. Subprocessor Security Due Diligence

    Before engaging any new subprocessor that processes Customer personal data, 2845341 Ontario Inc. conducts security due diligence including:

    • Review of the subprocessor's privacy policy and data processing terms;
    • Assessment of available security certifications (SOC 2, ISO 27001, etc.);
    • Review of data residency and international transfer mechanisms;
    • Execution of a data processing agreement or equivalent contractual terms.

    Our current subprocessor list, including security certification status where known, is maintained at /legal/subprocessor-list.

    9. Vulnerability Disclosure Program

    We maintain an open channel for security researchers to report potential vulnerabilities affecting the VocaIQ platform or associated services. To report a vulnerability:

    • Email: [email protected]
    • Subject: "Security Vulnerability Disclosure"
    • Include: Description of the issue, steps to reproduce, potential impact, and any supporting evidence (screenshots, logs, PoC code).

    We commit to: acknowledging receipt within 2 business days; providing a status update within 7 days; coordinating disclosure timing with the reporter; and crediting researchers in our security acknowledgements (with their consent). We request that reporters do not disclose findings publicly until we have had a reasonable opportunity to remediate.

    Contact

    For security questions, vulnerability disclosures, or to request security documentation (SOC 2 reports, penetration test summaries, HIPAA BAA), please contact:

    2845341 Ontario Inc. - Security
    Email: [email protected]
    Address: 215 Daffodil Court
    Website: https://vocaiq.ai

    Privacy Impact Assessments

    2845341 Ontario Inc. conducts privacy impact assessments for its AI voice agent platform and cross-border data transfers in accordance with Quebec Law 25 and other applicable privacy legislation. Summaries are available to enterprise customers upon written request to [email protected].

    Questions about this document?

    Contact us at [email protected]. We respond within 5 business days.