Trust & Security

Security at Setosys

How we protect your data, infrastructure, and client systems — and what we expect from ourselves.

Infrastructure

Data residency and hosting

Primary hosting
DigitalOcean Toronto (Canada)
All primary data stored in Canada, subject to PIPEDA
Encryption in transit
TLS 1.2+ enforced
All connections encrypted. HTTP redirected to HTTPS
Encryption at rest
AES-256
Databases and volumes encrypted at rest

Client project data processed during engagements is stored on isolated infrastructure. We do not share client data between engagements. Data is retained only for the period required to complete the engagement plus any agreed maintenance window.

Access Controls

Least privilege by default

Access to client systems and data is granted only to team members actively working on that engagement
Credentials and secrets are stored in environment-isolated vaults, never in source code or version control
All production deployments use separate credentials from development environments
Access is revoked immediately upon engagement completion or personnel change
SSH access to production servers is key-based only. Password authentication is disabled
Development Practices

Secure by design

Code review

All production code is reviewed before merge. Security considerations are explicitly checked for authentication, input validation, and data exposure.

Dependency management

Third-party dependencies are reviewed for known vulnerabilities. We avoid unnecessary dependencies and pin versions in production environments.

Environment separation

Development, staging, and production environments are fully isolated with separate credentials, databases, and access controls.

Secret management

No credentials, API keys, or sensitive configuration is stored in source control. Secrets are injected at runtime via environment variables or vault services.

Responsible Disclosure

Found a vulnerability?

If you believe you have found a security vulnerability in our systems or in software we have delivered, please report it to us privately before public disclosure. We commit to acknowledging your report within 48 hours and working with you on a remediation timeline.

security@setosys.com →
Compliance

Current standing and roadmap

PIPEDA (Canada)
Primary privacy framework for all Canadian operations
✓ Compliant
GDPR (EU)
Standard Contractual Clauses for EU data transfers
✓ Compliant
HTTPS / TLS 1.2+
All properties enforce encrypted connections
✓ Compliant
SOC 2 Type II
Target: 2026 — audit trail being established now
Planned
ISO 27001
Target: 2026 alongside SOC 2
Planned
HIPAA (for healthcare clients)
BAAs available for US healthcare client engagements
Per engagement

Questions about our security posture?

Contact us →