Security

Practices an Excel file will never offer

A shared spreadsheet on OneDrive works until it doesn’t. Heuro applies the security standards your institutional clients already expect.

AES-256

Encryption

TLS 1.3

Transit

Canada

Hosting

SOC 2 in progress

Audit

lock

AES-256 at rest

All data — hours, payroll, personal information — encrypted at rest with AES-256 on managed infrastructure (Supabase on AWS).

https

TLS 1.3 in transit

Every request between your browser, our servers, and dependencies runs over TLS 1.3. HSTS on, certificates auto-renewed.

badge

SOC 2 Type II (in progress)

We are in-flight on SOC 2 Type II with an independent auditor. Report available under NDA once issued.

verified_user

Law 25 compliant

Privacy officer appointed, processing register, explicit consent, breach notification. See our dedicated page.

location_on

Canadian hosting

Storage in Canadian regions (Montréal / Toronto). No transfer outside Canada without prior assessment and contractual safeguards.

admin_panel_settings

Granular access control

Role-based access, per-site permissions, SSO on Company and Custom plans. MFA required for administrators.

backup

Encrypted backups

Daily encrypted backups, retained 30 days. Continuous point-in-time recovery for at least 7 days.

bug_report

Responsible disclosure

Security researchers: send reports to security@heuro.ca. We confirm receipt within 48h and remediate by severity.

Quick comparison

ControlHeuroExcel spreadsheet
Encryption at restAES-256None (unless local BitLocker)
Encryption in transitTLS 1.3Depends on sharing method
Granular access controlPer role, per siteWhole file or nothing
Audit trailEvery change, timestampedOneDrive version history
Automated backupsDaily + 7-day PITRManual
Law 25 complianceDocumentedYou produce it yourself
Breach notification<72h, automatedUnstructured

Need the technical details?

For enterprise clients, we provide: pre-filled security questionnaire, architecture diagram, annual pentest report, and SOC 2 report (once issued) under NDA.