Security Policy

1. Overview

At Boréal Tech Solutions, Inc. (Boreal.AI), security is not an afterthought — it is a foundational principle embedded in every layer of our platform. We adopt a defense-in-depth approach to protect your data, models, and infrastructure.

This policy describes the technical and organizational measures we implement to ensure the confidentiality, integrity, and availability of our services.

2. Infrastructure Security

Our infrastructure is built on leading cloud service providers that are SOC 2 certified, offering high availability and resilience guarantees.

• Multi-region architecture — Our services are deployed across multiple geographic regions to ensure redundancy and minimize latency.
• SOC 2 certified hosting — Our infrastructure providers (AWS, Vercel) are independently audited and SOC 2 Type II certified.
• Network isolation — Our production environments are isolated within virtual private clouds (VPCs) with strict firewall rules and network segmentation.
• DDoS protection — Distributed denial-of-service protection mechanisms are active at all times across our entire infrastructure.

3. Encryption

Encryption is applied end-to-end to ensure your data is protected both at rest and in transit.

• Data at rest — All stored data is encrypted using AES-256, the industry standard for symmetric encryption.
• Data in transit — All communications are encrypted via TLS 1.3, ensuring confidentiality of exchanges between your browser and our servers.
• Key management — Encryption keys are managed using Hardware Security Modules (HSM), with automatic rotation and strict access controls.

4. Access Controls

We apply the principle of least privilege at all levels of our organization and infrastructure to limit data exposure.

• Multi-factor authentication (MFA) — MFA is mandatory for all employees and internal systems. It is also available and recommended for all platform users.
• Role-based access control (RBAC) — Permissions are assigned based on roles and responsibilities. Each employee only has access to the resources strictly necessary for their duties.
• Audit logging — All privileged actions and access to sensitive data are recorded in immutable audit logs, which are retained and continuously analyzed.
• Access reviews — Access rights are periodically reviewed and automatically revoked when an employee changes roles or leaves the company.

5. Compliance & Certifications

We are committed to meeting the most demanding security and privacy standards applicable to our industry sectors.

• SOC 2 Type II — Independent audit covering security, availability, processing integrity, confidentiality, and privacy controls.
• ISO 27001 — Information Security Management System (ISMS) certified under the international ISO/IEC 27001 standard.
• GDPR (General Data Protection Regulation) — Full compliance with the European data protection regulation, including the right to erasure, portability, and transparency.
• Quebec’s Law 25 — Compliance with Quebec’s Act to modernize legislative provisions as regards the protection of personal information, including the appointment of a privacy officer and the conduct of privacy impact assessments.
• HDS (Health Data Hosting) — For healthcare clients in France, we are able to host data on HDS-certified infrastructure.

6. Incident Response

We maintain a robust and tested incident response plan to react quickly and effectively to any security threat.

• 24/7 monitoring — Our security team monitors the infrastructure around the clock using intrusion detection systems (IDS), SIEM, and automated alerts.
• Response plan — Our incident response plan covers identification, containment, eradication, recovery, and post-incident analysis. It is regularly tested and updated.
• 72-hour notification — In accordance with GDPR and Law 25, we commit to notifying the relevant authorities and affected individuals within 72 hours of discovering a data breach that is likely to present a risk.

7. Data Residency

We understand that data location is critical for regulatory compliance. That is why we offer full control over the geographic residency of your data.

• Canada — AWS ca-central-1 region (Montreal). Compliant with Canadian data sovereignty requirements, Law 25, and PIPEDA.
• France — OVH and Scaleway infrastructure (Paris, Strasbourg). GDPR compliant and suitable for HDS requirements for health data.
• Location guarantee — Your data stays in the jurisdiction you have chosen. No transfer outside that jurisdiction is made without your explicit consent.

8. Vulnerability Management

We maintain a proactive vulnerability management program to identify and remediate security flaws before they can be exploited.

• Regular penetration testing — Penetration tests are conducted regularly by independent security firms. Results are analyzed and recommendations are promptly implemented.
• Responsible disclosure program — We encourage security researchers to report vulnerabilities responsibly. Reports can be sent to [email protected].
• Bug bounty program — We offer rewards to researchers who identify and report valid vulnerabilities. Details of our program are available upon request.
• Automated scanning — Automated vulnerability scans are continuously run across our entire codebase and infrastructure.

9. Contact

If you have questions about our security policy, wish to report a vulnerability, or need additional information about our security practices, please contact us:

Bor\u00e9al Tech Solutions, Inc.
Security: [email protected]
General: [email protected]
Website: borealtech.solutions