Security isn't a feature.
It's the architecture.
Every product we build starts with a Canadian-first infrastructure decision. Your data never crosses borders, never touches third-party APIs, and never leaves your control.
Data Residency
Your data stays in Canada. Period.
Canadian hosting
All infrastructure runs in AWS ca-central-1 (Montreal). Databases, compute, storage, everything stays within Canadian borders.
No third-party transfers
Your data is never sent to OpenAI, Google, or any other external service. Sentinel runs AI models locally, not through API calls to US providers.
PIPEDA & PHIPA compliant
Our infrastructure is designed from the ground up to meet federal and Ontario provincial privacy requirements for personal health information.
Compliance
Built for regulated industries
PIPEDA
Canada's federal privacy law governing how private-sector organizations collect, use, and disclose personal information. Our data handling practices meet all ten PIPEDA fair information principles.
PHIPA
Ontario's Personal Health Information Protection Act sets the standard for health data. Our systems enforce access controls, audit logging, and data minimization aligned with PHIPA requirements.
CPPA-ready
Bill C-27 signals the future of Canadian privacy law, including stronger consent rules and AI governance requirements. Our architecture already meets the proposed standards. Read our CPPA guide →
Regulation 299/10
Ontario's Quality Assurance Measures regulation governs developmental services agencies. Meridian is purpose-built to scan compliance data against these requirements automatically.
Infrastructure
How we protect your data
Encryption at rest
All stored data is encrypted using AES-256, the same standard used by financial institutions and government agencies worldwide.
Encryption in transit
Every connection uses TLS 1.3. Data moving between your browser, our servers, and our databases is encrypted end to end.
Isolated tenancy
Each customer's data is logically isolated. One agency's information is never accessible to another, enforced at the database and application layer.
No external API calls
Sentinel's AI models run on local infrastructure. Your prompts, documents, and conversations never leave the network to reach OpenAI, Google, or any third party.
Audit logging
All access to sensitive data is logged with timestamps, user identity, and action type. Logs are retained for compliance review and incident investigation.
Automated backups
Database backups run daily with point-in-time recovery. Backups are encrypted and stored in the same Canadian region as the primary data.
FAQ
Security questions, answered
Where is my data stored?
All data is stored in AWS ca-central-1 (Montreal, Quebec). This includes databases, file storage, backups, and any AI model artifacts. We do not replicate data to regions outside of Canada.
Who can access my data?
Only authorized Merakey engineers with a legitimate operational need can access customer data, and all access is logged. We operate on a principle of least privilege. Your agency's data is never shared with other customers or third parties.
What happens if there's a breach?
We have a documented incident response plan. In the event of a breach, affected customers are notified within 72 hours as required under PIPEDA's mandatory breach reporting. We also notify the Office of the Privacy Commissioner of Canada and, where applicable, the Ontario Information and Privacy Commissioner.
Is Sentinel truly self-hosted?
Yes. Sentinel runs AI models on infrastructure you control. There are no API calls to OpenAI, Anthropic, Google, or any other external AI provider. Your prompts, documents, and model outputs stay entirely within the deployment, whether that is on our Canadian servers or on your own hardware.
How do you handle backups?
Automated daily backups with point-in-time recovery, all encrypted at rest using AES-256 and stored in the same Canadian region as the primary database. Backup retention follows a 30-day rolling window. We test restoration procedures regularly to ensure recoverability.
Have security questions? Let's talk.
If your agency has specific security or compliance requirements, we are happy to walk through our infrastructure and answer any questions.
Get in Touch