Our Commitment to Security & Transparency
We hold ourselves to the same standards we set for our clients. This page documents our certifications, data practices, third-party audits, and live performance data.
Security Certifications
We pursue and maintain recognized third-party certifications across security, privacy, and compliance frameworks.
SOC 2 Type II
Annual audit by independent third party. Controls verified across security, availability, processing integrity, confidentiality, and privacy.
ISO 27001
Information security management system certification — international gold standard.
PCI DSS Level 1
Highest level of payment card industry compliance for service providers.
HIPAA
Full compliance with Health Insurance Portability and Accountability Act for healthcare clients.
Privacy & Data Handling
We believe trust is built through radical transparency about how client data is handled, stored, and protected.
Canadian Data Residency
Canadian client data stays in Canada. Primary data centres are located in Vancouver and Toronto, operated within Canadian jurisdiction.
Retention Policies
Log data retained for 12 months by default. Backup data retained per client SLA. All retention policies are documented and client-configurable.
Right to Erasure
We honour all PIPEDA and GDPR erasure requests within 30 days. Submit requests to privacy@zerodayit.ca.
Encryption at Rest & Transit
AES-256 encryption at rest. TLS 1.3 enforced for all data in transit. Zero-knowledge architecture where applicable.
Penetration Testing
We eat our own cooking. All client-facing infrastructure undergoes annual third-party penetration testing by accredited external firms with no advance notice to our engineering teams. Results are reviewed by our security committee and remediation timelines are tracked to closure. Clients may request a redacted executive summary of the most recent assessment.
Subprocessors
A complete list of third-party services that may process client data on our behalf.
| Name | Purpose | Data Type | Location |
|---|---|---|---|
| Amazon Web Services | Infrastructure hosting | System logs, telemetry | Canada / US |
| Microsoft Azure | Backup & disaster recovery | Encrypted backups | Canada |
| Mailtrap | Transactional email | Contact form data | EU |
Last updated: March 2025. We notify clients 30 days before adding new subprocessors.
Responsible Disclosure
If you discover a security vulnerability in our systems or services, we want to hear from you. We are committed to working with security researchers and responding within 48 hours.
SLA Performance
LIVEReal-time service delivery metrics. We publish these publicly because transparency builds trust.