Security

How SourceSeal protects your data

A technical look at how tenant and landlord data is handled, secured, and audited — not just a compliance checkbox.

Last updated July 2026·Report a vulnerability: security@sourceseal.ca
01

Data handling

Data minimization isn't a policy statement here — it's an architectural decision made before a single line of code was written.

Encrypted in transit and at rest. TLS 1.2+ for everything in motion, AES-256 for everything stored.

Canadian data residency. Infrastructure runs on AWS ca-central-1 — data doesn't leave Canadian borders.

No SIN, ever. A Social Insurance Number is never requested or stored, at any step of the flow.

Computed metrics only. Raw bank transaction data is never retained — only the computed income figures used for scoring.

ID images purged post-verification. Identity document images are deleted once a verification decision is made, wherever the provider's API supports it.

Short-lived signed URLs. Report files are never permanent public links — access URLs expire, typically within five minutes.

02

Access & accountability

If someone looks at a report, there's a record of it — including us.

Every access is logged. Report views, downloads, and data pulls write to an immutable audit trail.

Least-privilege internal access. No one on the team has blanket access to applicant data by default.

MFA required on all internal systems that touch applicant or landlord data.

Responsible disclosure. Found a vulnerability? security@sourceseal.ca reaches a real person.

03

The sealed report, explained

"Tamper-evident" isn't a marketing word — here's the actual mechanism.

When a report is finalized, SourceSeal computes a SHA-256 cryptographic hash — a unique digital fingerprint — from its contents, and prints that hash as a QR code on the report itself. Change a single character after the fact, and the hash changes completely; rescanning the QR code will surface the mismatch instantly.

This is the same category of technique used to verify software downloads and notarize legal documents, applied here to tenant screening reports. The hash can be independently reverified at any time by scanning the QR code — you don't have to take our word for it.

04

Compliance posture

PIPEDA double consent. Every data pull requires two separate, explicit approvals — one general, one credit-specific — each timestamped and IP-logged.

Ontario Consumer Reporting Act. SourceSeal has applied for registration as a Consumer Reporting Agency under the Act.

Ontario Human Rights Code, Reg. 290/98. Income-to-rent ratio is advisory only in the fraud engine — it never auto-disqualifies an applicant.

Built ahead of Bill C-36. Biometric data (liveness selfies) is handled to the standard of Canada's incoming federal privacy framework, not just what's required today.

Built toward Quebec Law 25 as a standard, ahead of any Quebec expansion, for future-proofing rather than retrofitting later.

05

Subprocessors

SourceSeal relies on a small number of specialized subprocessors for identity verification, income verification, and credit reporting, each selected for their own security and compliance track record. Infrastructure runs on Amazon Web Services (AWS), in Canada.

In keeping with our policy of not disclosing verification infrastructure details publicly, individual vendor names aren't listed on this page.

Vendor names and data processing agreements are available under NDA to enterprise customers and auditors — contact security@sourceseal.ca.

06

Where we're headed

Security is a program, not a one-time checklist. Here's what's ahead, stated plainly rather than implied.

Planned

SOC 2 Type II certification, as the company scales beyond its initial Ontario launch.

Planned

Extra-provincial registration in BC and Alberta ahead of pan-Canadian expansion.