Security
Practices an Excel file will never offer
A shared spreadsheet on OneDrive works until it doesn’t. Heuro applies the security standards your institutional clients already expect.
AES-256
Encryption
TLS 1.3
Transit
Canada
Hosting
SOC 2 in progress
Audit
AES-256 at rest
All data — hours, payroll, personal information — encrypted at rest with AES-256 on managed infrastructure (Supabase on AWS).
TLS 1.3 in transit
Every request between your browser, our servers, and dependencies runs over TLS 1.3. HSTS on, certificates auto-renewed.
SOC 2 Type II (in progress)
We are in-flight on SOC 2 Type II with an independent auditor. Report available under NDA once issued.
Law 25 compliant
Privacy officer appointed, processing register, explicit consent, breach notification. See our dedicated page.
Canadian hosting
Storage in Canadian regions (Montréal / Toronto). No transfer outside Canada without prior assessment and contractual safeguards.
Granular access control
Role-based access, per-site permissions, SSO on Company and Custom plans. MFA required for administrators.
Encrypted backups
Daily encrypted backups, retained 30 days. Continuous point-in-time recovery for at least 7 days.
Responsible disclosure
Security researchers: send reports to security@heuro.ca. We confirm receipt within 48h and remediate by severity.
Quick comparison
| Control | Heuro | Excel spreadsheet |
|---|---|---|
| Encryption at rest | AES-256 | None (unless local BitLocker) |
| Encryption in transit | TLS 1.3 | Depends on sharing method |
| Granular access control | Per role, per site | Whole file or nothing |
| Audit trail | Every change, timestamped | OneDrive version history |
| Automated backups | Daily + 7-day PITR | Manual |
| Law 25 compliance | Documented | You produce it yourself |
| Breach notification | <72h, automated | Unstructured |
Need the technical details?
For enterprise clients, we provide: pre-filled security questionnaire, architecture diagram, annual pentest report, and SOC 2 report (once issued) under NDA.