How Sentrix protects your compliance data
Security is not a feature layer added on top of Sentrix — it is the operating assumption behind every architectural decision. This page documents the specific controls, third-party audits, and data residency commitments that Canadian organizations rely on when they trust Sentrix with their GRC programs.
Encryption at rest and in transit
All customer data stored within Sentrix is encrypted at rest using AES-256, the standard required by the Government of Canada's Protected B classification and widely recognized across NIST, ISO 27001, and SOC 2 frameworks. Encryption keys are managed through AWS Key Management Service with annual rotation schedules and strict separation between tenant environments.
Data in transit between your browser, Sentrix application servers, and any connected third-party systems is protected exclusively over TLS 1.2 or higher. Sentrix enforces HTTP Strict Transport Security and rejects any unencrypted connection attempts. These controls apply to the full data path, including API calls made by automated compliance workflows and scheduled evidence collection tasks.
Sentrix does not store passwords, service account credentials, or OAuth refresh tokens in application databases. Read-only OAuth integrations authenticate through short-lived access tokens issued directly by the connected platform. If a token is revoked, Sentrix loses access immediately — there is nothing to breach on our side.
Read-only OAuth integrations
When you connect Sentrix to platforms such as Microsoft 365, Google Workspace, AWS, or Azure Active Directory, the integration uses OAuth 2.0 with the minimum permission scopes required to read compliance-relevant signals. Sentrix never requests write access, never stores your platform passwords, and never caches credentials beyond the authenticated session. Each integration scope is documented in the platform connection wizard so your IT security team can review it before authorizing access.
This architecture is deliberate. A read-only integration model means Sentrix cannot modify your source systems, cannot be used as a pivot point to alter configurations, and dramatically reduces the blast radius of any hypothetical compromise. Your compliance evidence is pulled, not pushed, and the source-of-truth always remains with you.
Canadian data residency
All Sentrix production infrastructure runs on Amazon Web Services in the ca-central-1 region, located in Montreal, Quebec. Customer compliance data — including uploaded evidence, control assessments, audit trails, and user records — is stored and processed exclusively within Canada. No data is replicated to US-East, EU, or any other AWS region as part of normal operations.
This residency commitment is directly relevant to Canadian organizations subject to PIPEDA, Quebec Law 25 (Bill 64), provincial public-sector privacy legislation, and sector-specific requirements in financial services and healthcare. Sentrix can provide a Data Processing Agreement confirming these residency terms upon request for enterprise procurement reviews.
SOC 2 Type II attestation
Sentrix holds a current SOC 2 Type II report covering the Security, Availability, and Confidentiality Trust Service Criteria. Unlike a Type I report, which assesses controls at a single point in time, the Type II attestation verifies that security controls operated effectively over a sustained audit period. The report is conducted annually by an independent AICPA-accredited auditor. Qualified prospects and existing customers under NDA may request a copy through their Sentrix account team.
Annual penetration testing
Sentrix engages Bishop Fox, a specialized offensive security firm, to conduct comprehensive penetration testing of the Sentrix application and underlying infrastructure on an annual basis. The scope includes web application testing against the OWASP Top 10, API endpoint enumeration and fuzzing, network segmentation validation, and authentication bypass attempts against tenant isolation controls.
Findings from each engagement are remediated according to a severity-tiered timeline: critical findings within 24 hours of disclosure, high findings within 7 days, and medium findings within 30 days. Summaries of test outcomes and remediation status are available to enterprise customers as part of the annual security review package.
Security control summary
| Control area | Implementation |
|---|---|
| Encryption at rest | AES-256 via AWS KMS, annual key rotation, per-tenant key separation |
| Encryption in transit | TLS 1.2+ enforced, HSTS enabled, no plaintext fallback |
| Credential storage | No passwords or OAuth refresh tokens stored; read-only short-lived tokens only |
| Data residency | AWS ca-central-1 (Montreal) exclusively; DPA available on request |
| Third-party audit | SOC 2 Type II, annual; report available under NDA |
| Penetration testing | Annual engagement with Bishop Fox; critical findings patched within 24 hours |
Responsible disclosure
Sentrix operates a responsible disclosure program for security researchers who identify potential vulnerabilities in our platform. If you believe you have found a security issue, we ask that you report it to our security team before public disclosure, giving us a reasonable window to investigate and remediate. We commit to acknowledging receipt within one business day, providing a substantive response within five business days, and keeping the reporter informed through the remediation process.
We do not pursue legal action against researchers acting in good faith under these guidelines. Reports can be submitted by email to [email protected]. Please include a description of the vulnerability, reproduction steps, and any relevant evidence. We do not currently operate a paid bug bounty program, but we recognize significant findings publicly in our security acknowledgements page with researcher consent.