Catégo is a privacy-compliance tool: security is not an add-on, it is the heart of the product. We apply to our own platform the very principles Catégo helps our clients implement. This page summarises the security measures and hosting choices that protect your data. For the detail of how personal information is processed, see our privacy policy.
Your data is hosted in data centres located in Québec (Canada). This data-residency choice supports your Law 25 compliance and limits exposure to transfers outside Québec. Where a sub-processor is established outside Québec, we frame the communication with appropriate contractual measures and assess it under section 17 of Law 25. The list of our sub-processors and their locations is available in the privacy policy.
All communications with Catégo are encrypted in transit using TLS/HTTPS. Passwords are never stored in clear text: they are kept as one-way cryptographic hashes. Your application data resides in an active database hosted in Québec, access to which is strictly controlled (see below).
Access to personal information is restricted on a least-privilege basis: only staff whose duties require it have access. Two-factor authentication (2FA) is available for accounts, and administrative access is logged. Within your workspace, an audit log records who viewed or modified your registers and assessments.
Environments are separated and each organisation's (tenant's) data is compartmentalised. Software components are kept up to date and patched regularly. Daily backups are performed to ensure continuity and data recovery.
We monitor our infrastructure to detect and contain abnormal activity. In the event of a confidentiality incident, we take measures to reduce the risk of injury, log the incident in a register and, where an incident presents a risk of serious injury, promptly notify the Commission d'accès à l'information (CAI) and the affected individuals, in accordance with Law 25.
Catégo uses artificial intelligence (Anthropic's Claude models) to assist drafting: suggestions, PIA and document drafts. These outputs are drafts that must be reviewed and validated by a qualified person — they are not legal advice and are never published automatically. Our AI providers are contractually required not to train their models on your data.
Catégo is designed around the requirements of Law 25 (Québec) and the recognised principles of PIPEDA (Canada) and the GDPR (European Union). A person in charge of the protection of personal information oversees our practices, request handling and incident response.
If you believe you have found a security vulnerability, we invite you to disclose it responsibly to support@catego.info. We acknowledge reports and act on them with diligence.
For any question about security or hosting, write to us at support@catego.info.