Security · our own posture
How we secure our own house
We sell cybersecurity, so our own site should hold to the standard we advise. Here, without the jargon, is how it’s built — and where to report a problem.
How it’s built
What we apply on this site
- A strict Content Security Policy. Every page gets a fresh per-request nonce, so a script only runs if we served it — no injected inline script can execute.
- No tracking, no third-party analytics. No advertising cookies, no ad networks, no tracking pixels. See our privacy page.
- The self-checks stay on your device. Our self-checks (Law 25, SOC 2, NIST, cyber-insurance) run entirely in your browser — your answers are never saved or sent.
- HTTPS everywhere, with HSTS. All traffic is encrypted, with a one-year browser-enforced HTTPS policy (HSTS, including subdomains).
- Hosted in Canada. The site and our clients’ data live in Canadian cloud regions, under Canadian privacy law. See Canadian data sovereignty.
- One piece of third-party code. The only external resource is Cloudflare’s bot challenge on the contact form — pinned to a single host in our security policy.
- Locked-down browser permissions. Camera, microphone, location and the ad-tracking APIs (Topics, FLoC) are all denied by header — the site needs none of them.
Report a problem
Found something?
If you spot a security issue on this site, email us — in English or French — and we’ll follow up. We also publish a security.txt file (RFC 9116) at /.well-known/security.txt.