Security & Compliance Summary

Bridgit (askbridgit.ca) is an AI-powered GRC and compliance platform based in Ottawa, Ontario, Canada.

Data Residency

All production data is stored exclusively in Canadian cloud infrastructure (Google Cloud Platform, Montreal region). No data is stored in US or non-Canadian data centers. The platform is hosted in Ottawa, Ontario, Canada.

Encryption

Encryption at rest: AES-256 encryption for all stored data (Google-managed encryption keys). Application-level AES-256-GCM encryption for sensitive credentials (OAuth tokens, API keys).

Encryption in transit: TLS 1.2 or higher enforced on all endpoints. TLS 1.0 and TLS 1.1 are disabled. HTTPS required for all production traffic. See Information Security Policy for details.

Authentication & Access Control

Multi-factor authentication (TOTP) available for all users with enforcement option for administrator roles. Progressive account lockout after failed login attempts. Role-based access control with four organizational roles. See Access Control Policy for details.

Backup & Disaster Recovery

Automated daily backups with tested recovery procedures. Defined Recovery Time and Recovery Point Objectives. See Data Retention Policy for details.

Compliance & Certification Status

Designed to comply with PIPEDA (Canada) and GDPR (EU). Policies and controls are designed to align with ISO 27001 and SOC 2 Trust Services Criteria. References to ISO 27001 controls (e.g., A.8.15) and SOC 2 criteria (e.g., CC6.5) in our policies indicate alignment with those specific controls, not certification.

Certification status: Bridgit is NOT currently certified under ISO 27001 or SOC 2 Type II. No HIPAA or PHIPA certification is held. See Information Security Policy for full compliance framework details.

Incident Response

Published incident response policy with defined severity levels (P1-P4), containment procedures, and regulatory notification timelines (GDPR 72-hour, PIPEDA as-soon-as-feasible). See Incident Response Policy.

Sub-Processors & Vendor Management

Complete sub-processor list with locations and Data Processing Agreement status is documented in the Vendor Management Policy.

Data Protection Officer

Matthew Bromwich — mbromwich@askbridgit.ca

Published Policies

• Access Control Policy
• Data Protection Consent Policy
• Data Retention Policy
• Incident Response Policy
• Information Security Policy
• Monitoring Operations Policy
• Privacy Policy
• Risk Assessment Policy
• Terms Of Service
• Vendor Management Policy

General inquiries: info@askbridgit.ca | Security reports: security@askbridgit.ca