How Sentrix Protects Your Compliance Data
Sentrix is built for Canadian organizations that operate under strict regulatory obligations. Every architectural decision — from where your data lives to how it is encrypted and audited — is made with Canadian privacy law and enterprise GRC requirements in mind.
Certifications and Independent Audits
Sentrix holds an annual SOC 2 Type II certification, audited against the Trust Services Criteria for Security, Availability, and Confidentiality. The report is available to enterprise customers under NDA upon request.
Bishop Fox conducts a full-scope external penetration test of the Sentrix platform each year. Findings are remediated on a defined SLA, and a summary letter is available to customers on request.
Data handling practices conform to the Personal Information Protection and Electronic Documents Act, Canada's federal private-sector privacy law, including lawful collection, identified purpose, and breach notification obligations.
For organizations subject to Québec's Act respecting the protection of personal information in the private sector, Sentrix supports the enhanced consent, privacy impact assessment, and data localization requirements introduced under Law 25.
Data Residency and Infrastructure
Canadian Data Residency
All customer data — including GRC records, audit evidence, risk registers, and policy documents — is stored exclusively in the AWS ca-central-1 region, located in Montreal. No customer data is replicated to regions outside Canada without explicit written consent.
This commitment addresses the data sovereignty requirements of federal and provincial regulators, as well as the expectations of public-sector and financial-services clients operating under Canadian jurisdiction.
Encryption at Rest and in Transit
All data stored by Sentrix is encrypted using AES-256. Data in transit between your browser and Sentrix infrastructure is protected by TLS 1.2 or higher, enforced at the load balancer. Database volumes, object storage, and backups are encrypted at the block level.
Encryption keys are managed through AWS Key Management Service with customer-controlled rotation schedules available on enterprise plans.
Access Controls and Authentication
Sentrix connects to your existing systems — including ticketing platforms, cloud providers, and identity directories — using read-only OAuth 2.0 tokens. The platform requests only the minimum scopes required to ingest evidence and never writes to source systems.
Administrative access to production infrastructure is gated by hardware security keys and time-limited session tokens. All privileged actions are logged to an immutable audit trail.
Availability and Backup
Sentrix targets 99.9 percent uptime on a rolling monthly basis. Automated daily backups are retained for 30 days and tested quarterly for recoverability. Incident history and scheduled maintenance notices are published to the Sentrix status page in real time.
Privacy and Regulatory Compliance
Canadian organizations face a layered privacy landscape. Federal requirements under PIPEDA set the floor for private-sector data handling, while provincial legislation — most significantly Québec's Law 25 — introduces stricter obligations around consent, breach reporting timelines, and the right to data portability. Sentrix is designed to help compliance teams meet both sets of requirements without managing separate tooling for each jurisdiction.
Data processing agreements are available for all customers and include explicit provisions for data localization, sub-processor disclosure, and breach notification. Sentrix maintains a current sub-processor list and notifies affected customers at least 30 days before adding new sub-processors.
Responsible Disclosure
Sentrix operates a responsible disclosure program for security researchers who identify vulnerabilities in the platform. Reports should be submitted to [email protected] with a clear description of the vulnerability, steps to reproduce, and potential impact. We commit to acknowledging receipt within two business days and providing a substantive response within ten.
We ask that researchers refrain from accessing, modifying, or exfiltrating customer data during testing, and that they allow Sentrix reasonable time to remediate before public disclosure. Researchers who report valid, in-scope vulnerabilities are recognized in our security acknowledgements unless they prefer to remain anonymous.
The Sentrix security team reviews all submissions and prioritizes remediation based on CVSS scoring. Critical and high findings are addressed within 72 hours of confirmation.