Skip to content
Complyant
Sign inJoin waitlist

Security posture

MFA, audit trails, and isolation — built in, not bolted on.

Complyant's security posture is part of the product surface, not behind a support ticket. Every control here is enforced at the query layer or in the auth flow — visible to the broker of record from day one.

Join the waitlistRead rollout FAQ

Regulatory frameworks

The rules Complyant is designed against.

FIN

FINTRAC reporting workflows

Native
REC

RECO inspection trail

Native
REB

REBBA / TRESA 2023 disclosure

Native
PIP

PIPEDA consent + retention

Native

Authentication

Multi-factor authentication is the default on every action that touches a regulated record. Sessions are recorded with full context, so the broker of record can audit who acted on what.

Domain
Control
Detail
Status
Authentication
MFA on every sensitive broker action
Approvals, trust operations, role changes, and admin controls require multi-factor authentication. No exceptions, no workarounds, no toggle.
Live
Authentication
Per-actor session ledger
Every AUTH SESSION and LOGIN SUCCESS is recorded with IP context. The broker of record can audit who acted on what file, when.
Live

Data residency + isolation

Each brokerage's records are isolated at the database layer. Application data is hosted in Canadian regions. Sub-processors are listed and notified ahead of changes.

Domain
Control
Detail
Status
Data residency
Brokerage data isolation
Each brokerage's records are isolated. Role-based access policies are enforced at the query layer — not in application code that can be bypassed.
Live
Data residency
Canadian data hosting
Application data is hosted in Canadian regions on infrastructure compliant with Canadian privacy expectations. Sub-processors are listed and notified.
Live

Privacy + PIPEDA alignment

Client consent is captured per category at point of collection. Retention timers and access requests are wired into the broker's existing workflows — not bolted on later.

Domain
Control
Detail
Status
Privacy
PIPEDA-aligned consent capture
Client consent is captured per data category at point of collection. Retention timers and access-request workflows are built in for the broker of record.
Live
Privacy
Data deletion + portability
Client data deletion requests are tracked from intake to acknowledgement. Brokerage data is exportable in a portable format on request.
Beta

Auditability

Logins, approvals, workflow changes, and system events land in one append-only ledger. The export your team produces is the same record format regulators ask for.

Domain
Control
Detail
Status
Auditability
Append-only audit trail
Logins, approvals, workflow changes, deliveries, and system events land in one append-only ledger. Records cannot be altered after the fact.
Live
Auditability
Compliance-grade export
Audit views export in formats that match the structure regulators ask for. The view your team works in is the same view you hand over.
Beta

If your brokerage runs a security review before adopting software, this is the document.

Tell us what your internal security or compliance team needs to see and we'll send the relevant policies, sub-processor list, and architecture summary ahead of any conversation.

Request a rollout slot

Tell us your brokerage shape on the next screen. No sales sequence — one reply from a human within two business days, or nothing at all.

Security | Complyant