Home  /  Security

Security at SimpleTurn

Enterprise-grade security built in from day one — not bolted on as an afterthought.

PIPEDA Compliant CASL Compliant 256-bit Encryption Canadian Hosted

SimpleTurn handles sensitive property data and prospect conversations. We take that responsibility seriously. Our security architecture was designed for enterprise PMCs from the start — because retrofitting security never works.

This page details our technical security controls, data handling practices, and compliance posture. If you have additional security questions, contact security@simpleturn.ca.

100% Canadian Infrastructure

All SimpleTurn data — property information, prospect conversations, user accounts, analytics — is stored and processed exclusively in Canada.

  • Hosting: AWS ca-central-1 (Montreal, Quebec)
  • CDN: Canadian edge locations
  • Database: Supabase on Canadian infrastructure with automated backups
  • No cross-border transfers: Data never leaves Canada
  • AI model processing: Queries under zero-data-retention agreements
👤
Prospect
Chat widget / SMS / email
↓ TLS 1.3
🤖
SimpleTurn AI
Edge Functions
↓ Encrypted
🗄️
Database
Supabase · RLS · AES-256
📦
Object Storage
Backups · Encrypted
All hosted in AWS ca-central-1 (Montreal)

Data Protection

Multiple layers of protection for your data at every stage.

Encryption

  • AES-256 encryption at rest for all stored data
  • TLS 1.3 for all data in transit
  • Encrypted database backups
  • API keys stored in dedicated secrets management

Isolation

  • Row-level security (RLS) at database level
  • Per-client data isolation
  • Widget runs in sandboxed iframe
  • Widget has zero access to host website DOM

Access Control

  • Role-based access control (RBAC)
  • SSO/SAML support (Enterprise)
  • Principle of least privilege
  • All access logged and auditable

AI Safety & Accuracy Controls

SimpleTurn AI agents are powerful, but they're not unsupervised. We've built multiple layers of control to ensure accuracy and prevent harmful outputs.

Human override on every data point

Your edits always take precedence over AI research.

Automatic error detection

Our system cross-references multiple sources and flags conflicts.

No hallucination by design

Agents only answer from their dossier. If info isn't there, they say so.

No training on your data

Your data is never used to train models. Not for other clients, not for anyone.

Full audit trail

Every AI decision, conversation, and edit is logged for review.

Compliance

Meeting the highest standards for data privacy and protection.

✅ Compliant

PIPEDA

We comply with Canada's PIPEDA. All data handling follows the 10 fair information principles.

✅ Compliant

Provincial Privacy Laws

Compliant with Alberta PIPA, BC PIPA, and Quebec Law 25.

🔄 In Progress

SOC 2 Type II

Actively pursuing certification. Expected Q3 2026.

✅ Ready

GDPR

Our practices meet GDPR requirements for EU-based prospects.

✅ Compliant

CASL

Canada's Anti-Spam Legislation — built-in consent tracking, sender identification, unsubscribe mechanisms, and quiet hours. See details below ↓

CASL Compliance

How SimpleTurn keeps your outbound communications compliant with Canada's Anti-Spam Legislation.

Sender Identification

Every message from a SimpleTurn agent includes your property management company's name, mailing address, and contact information — as required by CASL for all commercial electronic messages.

CASL s.6(2)(a)–(c)

Unsubscribe Mechanism

Every automated message includes a one-click opt-out link. CASL requires opt-outs be processed within 10 business days — SimpleTurn processes them instantly and suppresses all future messages.

CASL s.6(2)(c)

Automatic Quiet Hours

Outbound messages are held between 9 PM and 8 AM local time. No commercial electronic message is sent outside reasonable hours — protecting both your prospects and your reputation.

Best practice

Consent Management

SimpleTurn tracks express and implied consent per prospect with timestamps. Implied consent from an inquiry automatically expires after 6 months. Express consent is recorded with source and date for audit.

CASL s.10(1)–(3)

Full Audit Trail

Every message, consent record, and opt-out is logged and exportable. If the CRTC or your compliance team needs records, they're available on demand with full chain-of-custody.

CASL s.6, s.10

Your Obligations as a SimpleTurn Customer

SimpleTurn provides the compliance tools — but under CASL, the sending organisation retains accountability. Here's what you need to do:

  • Obtain valid consent — you must have express or implied consent before enabling AI follow-ups for a prospect. SimpleTurn will not send messages to contacts without a consent record.
  • Provide accurate sender identification — your company name, mailing address, and contact details must be current in your SimpleTurn dashboard. These are included in every outbound message automatically.
  • Honour out-of-band opt-outs — if a prospect requests removal verbally, by email, or through any channel outside SimpleTurn, you must update their consent status in the platform promptly.
  • Review AI-drafted messages — while SimpleTurn generates compliant messages by default, you are responsible for ensuring any custom templates or overrides meet CASL requirements.

For more on CASL obligations, see the CRTC's CASL guidance. Questions? Reach us at compliance@simpleturn.ca.

Security Vulnerability Reporting

If you discover a security vulnerability in SimpleTurn, we want to hear about it. Please report vulnerabilities responsibly to security@simpleturn.ca.

  • Acknowledging your report within 24 hours
  • Initial assessment within 72 hours
  • No legal action against good-faith researchers
  • Crediting researchers (with permission) after resolution

Have security questions about SimpleTurn?

Our team is ready to help.

Request Security Review
security@simpleturn.ca