Cyberimpact - Canadian Email Marketing Software
Cyberimpact Trust Center

A secure platform, designed for Canadian organizations

Cyberimpact offers a platform designed to meet the security, privacy, and compliance requirements of Canadian organizations.

Our infrastructure is fully hosted in Canada and designed to ensure a high level of control, data protection, and service reliability.

We design and operate our own application services, limiting reliance on third-party providers for data processing. This approach strengthens the security, confidentiality, and sovereignty of information.

View our practices
Skyscrapers viewed from below forming a maple leaf, symbolizing secure data in Canada
Employee reviewing documents in a workspace, illustrating compliance and data management

Security and transparency at the core of our approach

Cyberimpact maintains a high level of transparency with its clients and partners. Our trust center transparently presents our practices in terms of security, privacy, compliance, reliability, and service availability.

We make available the documents necessary to evaluate our security posture, including our SOC 2 Type 2 attestation, our System Security Plan (SSP), and our compliance assessments.

This trust center is regularly updated to reflect the evolution of our practices, controls, and governance in terms of data protection.

SOC 2 Type 2 attestation

SOC 2 Type 2

Data encryption

Encryption via TLS 1.2/1.3 and AES-256

Multi-factor authentication

Multi-factor authentication (MFA)

Data hosted in Canada

Data hosted in Canada

Web application firewall

Web Application Firewall (WAF)

DDoS protection

DDoS protection

Daily encrypted backups

Daily encrypted backups

Regulatory compliance

Compliance with Law 25, PIPEDA, GDPR, CASL

Our security and compliance practices

Cyberimpact applies multi-layered security controls to protect data and systems:

  • Encryption of data in transit (TLS 1.2/1.3) and at rest (AES-256)
  • Multi-factor authentication (MFA) required for all users
  • Role-based access controls (RBAC) to limit data exposure
  • Continuous system monitoring and detection of anomalous behaviour
  • Formal incident management and recovery processes

The following sections detail the measures implemented to support these controls and ensure the security, privacy, and compliance of our platform.

Compliance and certifications

Cyberimpact holds a SOC 2 Type 2 attestation, validated by an independent auditor.
This attestation confirms that our security and privacy controls are rigorous, well designed, and effective over a period of time.

We apply strict practices for risk management, access reviews, and logging of sensitive actions, in accordance with industry best standards.

Your data hosted locally, in a secure environment

Your data is hosted in Canada, in a data centre that also holds a SOC 2 Type 2 attestation.

The facilities are protected by continuous monitoring, strict access control, and high-security physical measures.

  • Our infrastructure relies on multiple layers of protection, including:
  • application firewalls (WAF);
  • an intrusion detection system (IDS);
  • DDoS protection mechanisms;
  • network segmentation;
  • data encryption;
  • encryption of storage disks.

Cyberimpact designs and operates its application services based on a controlled architecture and internal components for data processing. Unlike some platforms, we limit reliance on third-party providers for critical data-related functions, which strengthens control, security, and data protection.

Robust practices

We regularly perform penetration tests, automated vulnerability scans, internal reviews, and proactive security patch management. These continuous assessments allow us to adapt our defences to emerging threats.

Identified vulnerabilities are prioritized based on their level of criticality and remediated within defined timelines.

Access to data follows the principle of least privilege, and sensitive actions are logged to ensure full traceability.

Access to internal environments is limited to a restricted number of authorized employees.

We apply strong password policies, require multi-factor authentication (MFA) for our employees, and conduct regular access reviews.

Our team applies secure development practices, including code review, static analysis, and regular updates of components and dependencies (security patches).

Employee onboarding and ongoing training

All new employees undergo an onboarding process that includes mandatory training in information security and data protection.

This step ensures that each team member understands their responsibilities regarding security from day one.

Ongoing cybersecurity awareness training is provided to all staff, including simulated phishing campaigns to strengthen reflexes against common threats.

Technical teams also receive specialized training, particularly in application security (OWASP).

Secure data transmission

All communications are encrypted via TLS 1.2/1.3. Data is also encrypted at rest using recognized algorithms (AES-256).

Secure login

Account security is strengthened by password policies aligned with OWASP and NIST recommendations.

All users must use multi-factor authentication (MFA), and organizations can enable Single Sign-On (SSO).

Cyberimpact offers three levels of access: administrators, users, and users with custom permissions, enabling fine-grained and secure access management.

Only account administrators can create and manage API tokens and modify user information.

Protection against suspicious login attempts
Cyberimpact automatically detects abnormal behaviour during login.

If multiple failed attempts occur within a short period, protection measures are triggered (e.g. password reset request or temporary access restriction) to block unauthorized access while allowing legitimate users to recover their account.

Session management
User sessions automatically expire after a period of inactivity and are subject to security controls to limit the risk of unauthorized access.

Security of endpoints and internal environments

Security begins within our own work environments.

Internal endpoints are protected by:

  • full disk encryption;
  • anti-malware and EDR (Endpoint Detection & Response) solutions;
  • regular security updates and patches;
  • centralized device management;
  • the ability to quickly revoke access.

Access to our internal environments is based on a Zero Trust Network Access (ZTNA) model, in accordance with modern security best practices.

Privacy and data protection

Cyberimpact applies strict practices to protect personal information and its clients’ data.

Data is not sold or shared with third parties for commercial purposes. It may be processed by authorized subprocessors as part of service delivery. No international transfer is carried out unless explicitly requested or required contractually.

Our processes comply with Law 25, PIPEDA, GDPR, and best practices in privacy management.

Access and activity logs are retained for a defined period to ensure traceability, facilitate incident investigations, and meet compliance requirements.

Cyberimpact has designated a person responsible for the protection of personal information in accordance with the requirements of Law 25.

For any questions regarding the protection of personal information or to exercise your privacy rights, you may contact:

Geoffrey Blanc
General Manager and Officer in Charge of the Protection of Personal Information
privacy@cyberimpact.com

Security and privacy governance

Information security and the protection of personal information at Cyberimpact are overseen at the management level.

They are based on documented policies, established governance mechanisms, and regular independent assessments aimed at ensuring the effectiveness of the controls in place.

Regulatory compliance (CASL, Law 25, PIPEDA, GDPR)

Cyberimpact helps you comply with CASL through built-in tools: consent management, subscription records, timestamped history, and compliant unsubscribe mechanisms.

We also apply administrative, technical, and organizational measures to comply with Law 25 and PIPEDA.

For organizations subject to GDPR, Cyberimpact supports the right of access, portability, the right to erasure, and transparency of processing.

Reliability and resilient architecture

Our platform is based on a modern architecture with isolated environments and databases dedicated to each client.

Continuous monitoring analyzes performance, availability, and abnormal behaviour to quickly detect any potential incident.

Platform availability and ongoing incidents are published on our status page: status.cyberimpact.com.

Backups and business continuity

We perform daily backups, encrypted in transit and at rest, and stored in a separate site.

Quarterly restoration tests ensure our ability to effectively recover data in the event of an incident.

A disaster recovery plan defines the actions to be taken in critical situations.

Communication in the event of a security incident

Cyberimpact maintains a formal security incident management process.

In the event of a confirmed incident impacting data confidentiality or service availability, affected clients are informed in accordance with applicable contractual and regulatory obligations.

Documents we can provide

Cyberimpact provides a set of documents intended for security, compliance, and IT governance teams.

Due to their sensitive nature, some documents require the signing of a non-disclosure agreement (NDA)

To obtain a document subject to an NDA, please complete the form below.

Documents available under NDA

(sensitive information)

Full SOC 2 Type 2 report
Contains the auditor’s detailed tests, the controls evaluated, and the results of operational effectiveness.

System Security Plan (SSP)
Structured description of our architecture, controls, processes, and security operating model.

GDPR Compliance Assessment
Analysis of practices related to the management of personal data and their alignment with GDPR.

Technical architecture (high-level diagram)
Overview of the service architecture, including main components, data flows, and the overall organization of the system.

HECVAT lite 2.11
Standardized security and privacy assessment questionnaire (Higher Education Community Vendor Assessment Toolkit), used by educational institutions to assess risks related to technology service providers.

VPAT 2.5 (Accessibility)
Declares the level of compliance of our platform in terms of digital accessibility.

Documents available without NDA

SOC 2 Type 2 Summary Letter
Summarizes the SOC 2 attestation without disclosing sensitive information.
Access now

Privacy Policy
Presents our practices for managing and protecting personal information.
Access now

Anti-spam Policy
Explains the mechanisms put in place to comply with Canadian anti-spam legislation.
Access now

Terms and Conditions
Describes contractual obligations, responsibilities, and limitations of service use.
Access now

Document request form

To obtain one of our official documents available under NDA, such as our full SOC 2 report, our SSP, our GDPR assessment, or our VPAT, please complete the form below.

We invite you to provide the necessary information to allow us to process your request efficiently and provide you with documents tailored to your context.

We generally respond to requests within 3 to 5 business days*.

*Cyberimpact reserves the right not to respond to a request deemed not relevant or insufficiently justified in order to protect the confidentiality of sensitive information.

Cyberimpact — All rights reserved.

Powered by Cyberimpact