Government cleaning contracts contain sensitive data. We treat it accordingly.
All customer data lives in Canada, hosted on Supabase in the CA-CENTRAL-1 region. Your data never leaves Canadian borders. Database backups are stored in the same region.
All data is encrypted with TLS 1.3 in transit and AES-256 at rest. Database backups are encrypted. API keys and secrets are stored in environment variables, never in source code.
Row-level security (RLS) is enforced on every multi-tenant table in the database. Service-role keys are never exposed to the browser. Authentication is handled by Clerk with optional two-factor authentication (2FA) available on all accounts.
GovClean is aligned with PIPEDA (Personal Information Protection and Electronic Documents Act). SOC 2 Type II audit is planned for Q4 2026.
Security researchers can email security@govclean.ca. Read our security.txt for full disclosure details.
We maintain a clear escalation path for security incidents. Affected customers are notified within 72 hours of a confirmed breach, in accordance with PIPEDA breach notification requirements.
Email hello@govclean.ca with subject “Security review” and we'll get back to you within one business day.