Security & Trust

Our Security at a Glance

Infrastructure Security

Microsoft Azure Canada

Pursuitly runs exclusively on Microsoft Azure — Canada Central region (Toronto). Azure is one of the world's most secure cloud platforms, holding over 90 compliance certifications including ISO 27001, SOC 1/2/3, and FedRAMP. All Pursuitly data — including backups — is stored within Canadian borders.

Network Security

• All traffic between clients and Pursuitly servers is encrypted using TLS 1.3 (minimum TLS 1.2)
• Web Application Firewall (WAF) protects against OWASP Top 10 vulnerabilities including SQL injection and cross-site scripting
• DDoS protection provided at the infrastructure level via Azure DDoS Standard
• Network segmentation isolates production, staging, and development environments
• IP restriction controls available for enterprise accounts

Data Encryption

• In transit: TLS 1.3 on all connections; certificate management via Azure
• At rest: AES-256 encryption on all stored data, including backups and logs
• Key management: Encryption keys managed via Azure Key Vault with access controls and rotation policies

Application Security

Secure Development

Security is integrated into our software development lifecycle (SDLC). Our engineering team follows OWASP secure coding guidelines and conducts:

• Static application security testing (SAST) on every code commit
• Dependency vulnerability scanning and automated patching
• Regular penetration testing by independent security firms
• Code review requirements for all production changes

Authentication

• Bcrypt password hashing with per-user salt
• Multi-factor authentication (MFA) available on all accounts, enforced by policy on Enterprise plans
• Brute-force protection with account lockout and rate limiting
• Session tokens invalidated on logout and expire after configurable inactivity periods
• SSO via SAML 2.0 and OAuth 2.0 (Enterprise plan)

Access Controls

• Role-based access control (RBAC) with fine-grained permission management
• Principle of least privilege applied throughout — users access only what their role requires
• Talcura staff cannot access customer data without explicit customer authorisation, except as required for security incident response
• All internal access to production data is logged and reviewed

Data Backup & Recovery

• Automated daily backups of all customer data, retained for 30 days
• Backups are encrypted with AES-256 and stored in a separate Azure Canada region (geo-redundancy)
• Point-in-time recovery available for database restoration
• Disaster recovery plan with a Recovery Time Objective (RTO) of under 4 hours and Recovery Point Objective (RPO) of under 1 hour
• Regular restoration testing to validate backup integrity

Compliance & Certifications

• PIPEDA: Fully compliant with Canada's federal private-sector privacy law. See our PIPEDA compliance page.
• GDPR: Supports GDPR rights for EEA users. Data Processing Agreements available. See our GDPR page.
• Microsoft Azure compliance: Our infrastructure inherits Azure's compliance certifications including ISO 27001, SOC 2 Type II, CSA STAR, and PIPEDA.
• Canadian data residency: All data stored in Canada, satisfying government-funder and healthcare data residency requirements.

We provide security questionnaire responses, vendor compliance documentation, and Data Processing Agreements within two business days of request.

Incident Response

Talcura maintains a documented security incident response plan covering detection, containment, investigation, notification, and post-incident review. In the event of a security incident affecting customer data:

• Affected customers will be notified within 24 hours of confirmed incident discovery
• Notification will include the nature of the incident, data affected, and steps we are taking
• We fulfil all PIPEDA breach notification obligations to the Office of the Privacy Commissioner of Canada
• We provide ongoing updates until the incident is fully resolved

To report a suspected security vulnerability, contact our security team at security@pursuitly.com. We respond to all security reports within 24 hours and treat responsible disclosure with respect and confidentiality.

Employee & Vendor Security

• All Talcura employees complete privacy and security training upon hire and annually thereafter
• Background checks conducted for all employees with access to production systems
• Third-party vendors are vetted for security practices and bound by data processing agreements
• Vendor access is logged, monitored, and limited to the minimum necessary
• Vendor list reviewed and updated annually

For Procurement & Security Teams

We understand that enterprise and government procurement processes require thorough vendor security reviews. Our security team responds to the following within two business days:

• Security questionnaires (CAIQ, SIG, VSA, or custom)
• Data Processing Agreements (DPA)
• Privacy Impact Assessment support documentation
• Canadian data residency confirmation letters
• Penetration testing summary reports (NDA required)
• Sub-processor lists