Built on real architecture, not marketing claims
Security & privacy.
Every measure below maps to actual code in our repository. We don't list a security control we don't enforce.
Encryption
- At rest
- AWS S3 with server-side encryption (SSE). Database storage encrypted at the volume level.
- In transit
- TLS 1.3 enforced via Helmet middleware. HTTPS everywhere. Strict-Transport-Security headers.
- Passwords
- Bcrypt with 10-round salt (auth.service.ts:333). One-way hash; even ExpatReady staff can't read a plaintext password.
- Refresh tokens
- SHA-256 hashed at rest with rotation on every refresh.
Authentication
- Login
- Email + password (bcrypt-verified) or OAuth, Google, Microsoft, Apple. Single sign-on supported.
- Tokens
- Short-lived JWT access tokens + signed refresh tokens. Both stored separately. Rotated on refresh.
- Sessions
- Session metadata persisted with IP address and user agent. Anomalous sessions can be revoked.
- Client portal
- Separate auth scope (ClientPortalSession) from staff. Hash-link expiration for SQR access.
Authorization
- RBAC
- Custom roles + permission groups. Every API endpoint guarded by JWT + permission decorators.
- Multi-tenancy
- Office-based data isolation. Users scoped to offices; cross-office access requires explicit permission.
- Designated Person
- CICC-licensed designated person workflow stamps every filing, signature on file, recorded approval.
- Plan-based defaults
- Subscription plans auto-provision default roles and permission groups on user creation.
Audit logging
- What's logged
- Every create, update, and delete on every entity. Action type, user identity, IP address, user agent, before/after state.
- Triggers
- Audit decorators on every controller method. Sensitive fields filtered via audit transformer.
- Immutability
- AuditLog is append-only. No update or delete API surface, even for admins.
- Export
- PDF export for CICC audits and litigation hold scenarios.
Storage & data residency
- Region
- AWS Canada Central (ca-central-1), Montreal-region data residency.
- Buckets
- Per-firm S3 buckets with strict IAM policies. No public buckets, no cross-bucket leakage.
- Presigned URLs
- Document downloads use short-lived presigned URLs (15-minute expiry default).
- Versioning
- Document and form versioning preserves history; restore from any prior state.
Network & headers
- Helmet
- Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy enforced.
- CORS
- Strict origin allowlisting per environment.
- Rate limiting
- Per-IP throttling on auth endpoints to slow credential-stuffing attempts.
- Permissions Policy
- Camera, microphone, geolocation disabled by default.
Payments (Stripe)
- PCI scope
- Card data never touches ExpatReady servers. Stripe Elements + Stripe Checkout handle PAN.
- Webhook security
- All Stripe webhooks verified via stripe.webhooks.constructEvent() with signing secret. Raw-body parsed to prevent signature tampering.
- Secrets
- Stripe secret keys and webhook secrets stored as environment variables with restricted access.
- Reconciliation
- Payment status synced from Stripe webhooks, no client-trust on payment confirmation.
Privacy & compliance
- PIPEDA
- Aligned with Canadian privacy law. PII access logged. Data minimisation by design.
- GDPR
- Subject access requests, right to erasure (where legally permitted), data portability via export.
- CICC
- Designed for the CICC Code of Professional Conduct's record-keeping and supervision requirements.
- Subprocessors
- Public list of subprocessors (AWS, Stripe, Postmark, Twilio) at /legal/subprocessors.
Operations
- Backups
- Daily encrypted snapshots. 30-day retention. Point-in-time recovery for the SQL database.
- Monitoring
- Real-time error tracking, performance monitoring, and uptime alerting via Vercel + Sentry.
- Disaster recovery
- Multi-AZ database deployment. RPO 5 minutes, RTO 1 hour for catastrophic failure.
- Vendor security
- Annual review of all subprocessors. SOC 2 evidence requested from critical vendors.
Have specific security questions?
We share architecture diagrams, threat models, subprocessor lists, and pentest evidence under NDA. Reply to your demo email or write to security@expatready.com.
One platform · replaces 9 tools
The operating system Canadian immigration practice deserves.
From $199 CAD/seat (annual). Unlimited cases. Unlimited client-portal users. No per-form or per-case fees. White-glove migration included with Practice tier and above.