Security & Compliance

Folio AI is built for Canadian firms handling sensitive financial data on behalf of their clients. Encryption, residency, isolation, and audit are first-class features — not bolted on.

Encryption & isolation

  • AES-256 at rest via AWS KMS for RDS and S3. Per-firm CMK on Business and Enterprise.
  • TLS 1.3 in transit. sslmode=require enforced on every Postgres connection.
  • Postgres Row-Level Security policies isolate every tenant on the shared cluster.
  • PII redaction (SIN, PAN, bank account numbers) before any AI provider call.
  • JWT auth with server-side token revocation; 60-minute access tokens.
  • RBAC enforced at every API route — firm admin, reviewer, client uploader.

Data residency

  • Primary region: AWS ca-central-1 (Montréal).
  • Cross-region backup: ca-west-1 (Calgary). 35-day point-in-time recovery on RDS.
  • strict_canada mode: AI inference routed to Azure Canada East, Vertex Montréal, or on-prem Ollama.
  • Quarterly cross-region restore drills with documented RTO/RPO.
  • Bilingual UI and exports (fr-CA / en-CA) per Quebec Bill 96.

Audit & retention

  • Append-only, hash-chained tamper-evident audit log. 7-year retention by default.
  • S3 Object Lock WORM on all original document files.
  • CRA 6-year retention enforced; configurable up to 10 years.
  • 30-day advance notice before any data purge.
  • 72-hour breach notification per PIPEDA s.10.1.
PIPEDAQuebec Law 25Bill 96 — bilingualCRA retentionSOC 2 Type II (Q1 2027)Annual pen-test

Reporting a vulnerability

Email security@folioai.ca with your finding. We acknowledge within 1 business day and provide a remediation timeline within 5 business days. Please allow 90 days to remediate before public disclosure.

Need our DPA, sub-processor list, or security questionnaire response?

Data Processing AgreementSub-processorsContact security