Security

Practices an Excel file will never offer

A shared spreadsheet on OneDrive works until it doesn’t. Heuro applies the security standards your institutional clients already expect.

AES-256

Encryption

TLS 1.2+

Transit

Canada

Hosting

SOC 2 in progress

Audit

AES-256 at rest

All data — hours, payroll, personal information — encrypted at rest with AES-256 on managed infrastructure (Supabase on AWS).

TLS 1.2+ with HSTS preload

Every request between your browser, our servers, and dependencies runs over TLS 1.2+. Our domain is on the HSTS preload list; certificates auto-renewed.

SOC 2 Type II (in progress)

We are in-flight on SOC 2 Type II with an independent auditor. Report available under NDA once issued.

Law 25 compliant

Privacy officer appointed, processing register, explicit consent, breach notification. See our dedicated page.

Canadian hosting

Storage in Canadian regions (Montréal / Toronto). No transfer outside Canada without prior assessment and contractual safeguards.

Granular access control

Role-based access (Owner / Foreman / Worker), per-project scoping, Row-Level Security. Sign in with Google or Microsoft. Passkey MFA available.

Encrypted backups

Daily encrypted backups, retained 30 days. Continuous point-in-time recovery for at least 7 days.

Responsible disclosure

Security researchers: send reports to security@heuro.ca. We confirm receipt within 48h and remediate by severity.

Quick comparison

ControlHeuroExcel spreadsheet
Encryption at restAES-256None (unless local BitLocker)
Encryption in transitTLS 1.2+ with HSTS preloadDepends on sharing method
Granular access controlPer role, per siteWhole file or nothing
Audit trailEvery change, timestampedOneDrive version history
Automated backupsDaily + 7-day PITRManual
Law 25 complianceDocumentedYou produce it yourself
Breach notification<72h, automatedUnstructured

Need the technical details?

For enterprise clients, we provide: pre-filled security questionnaire, architecture diagram, annual pentest report, and SOC 2 report (once issued) under NDA.