Security & Trust
Enterprise-grade security, Canadian data residency, and an audit trail on every action — purpose-built for sensitive labour relations records.
Your data stays in Canada. Read our privacy policy and the current sub-processor list.
Built by the editor of Canadian Labour Arbitration (Brown & Beatty) — the reference text Canadian arbitrators cite.
Built for Sensitive Records
Data Protection & Residency
- Canadian cloud regions: Customer data is hosted in Canadian cloud regions — grievances, evidence, agreements, and audit records
- Encryption at rest: Data stored on disk is encrypted at rest by the underlying cloud provider
- Encryption in transit: All traffic between the browser and the service is TLS-encrypted end to end
- PIPEDA-aligned handling: Data handling practices are designed against PIPEDA principles for Canadian personal information
- Sub-processor transparency: The current list of sub-processors is published and kept current — see /privacy/sub-processors
- Backups and recovery: Routine backups and a documented recovery process for the application and its data
Access & Governance
- Google Workspace SSO: Sign in with your existing Google Workspace identity provider — centrally managed and revoked
- Role-based access: Permissions scoped by organisation, bargaining unit, and role — every query isolated to the authenticated organisation
- Immutable audit trails: Every grievance event, sign-in, and administrative action recorded with timestamp and actor
- Rate-limited APIs: Public API endpoints are rate-limited to protect against abuse and brute-force attempts
- Incident response: A documented incident response process with notification obligations to affected organisations
- Least privilege: Internal access to production data is restricted to the smallest set of people required to operate the service
Talk to Us About Your Requirements
We'll walk you through the security posture, data handling, and how Sertus fits your organisation's policies.
Last updated: April 2026