Security and compliance.

Last updated July 4, 2026

Our approach.

Security is part of how we build, not something we add at the end. VYRA Data Inc. runs SaaS products and delivers professional services, and both handle information that people trust us with. We collect as little as we need, we protect it with controls that fit its sensitivity, and we are honest about what we have in place today and what we are still working toward. This page describes our practices in plain terms. It sits alongside our Privacy Policy, our Data Processing Agreement, and our Subprocessors list, and it does not replace any commitment written into a signed contract with you.

Data hosting.

We host our products and data with established cloud infrastructure providers and keep production data in the regions we state in your contract or statement of work. Where your engagement requires data to stay in a particular region, we agree that in writing before we begin.

  • Data is encrypted at rest using AES-256.
  • Data is encrypted in transit using TLS 1.2 or higher.
  • Production data is backed up on a regular schedule, and backups are encrypted.
  • We separate production environments from development and testing environments.

We confirm the exact hosting provider, region, and backup targets for your engagement in your contract or statement of work.

Access controls.

We limit who can reach systems and data, and we keep that limit tight.

  • Multi-factor authentication is required on administrative accounts.
  • Access is role-based, so people get the role their job needs and nothing more.
  • We apply least privilege, granting the narrowest access that lets someone do the work.
  • We review access on a regular cadence and remove access promptly when a role changes or someone leaves.
  • Administrative and privileged actions are logged.

Vendors and subprocessors.

We rely on a small number of trusted providers to run our business, such as cloud hosting, database services, payment processing, email delivery, AI model access, analytics, and customer support tools. Each provider is bound by a written agreement that limits it to our instructions, requires confidentiality and appropriate security, and forbids using your information for its own purposes. We stay accountable for the information we hand to a provider, and we review the security of the providers we rely on before we engage them and while we use them.

Our current subprocessors are listed on our Subprocessors page, along with how we tell you about changes.

Development practices.

We build security into how we write and ship software.

  • Code changes go through peer review before they reach production.
  • We scan our code and repositories for secrets so credentials do not end up in source control.
  • We scan our dependencies for known vulnerabilities and update them.
  • We use automated checks in our build pipeline to catch common issues early.
  • We separate the environments where we develop, test, and run software.

Monitoring and incident response.

We log activity across our systems and alert on unusual behaviour so we can detect and investigate problems quickly. We keep logs for the period we need to run the service, investigate incidents, and meet our legal duties.

We maintain an incident response plan that sets out how we detect, contain, investigate, and recover from a security event, who is responsible at each step, and how and when we notify the people and regulators involved. We test and update the plan as our systems change.

If a security breach affects personal information, we follow the law that applies:

  • Under Canada's federal privacy law, PIPEDA, where a breach creates a real risk of significant harm, we report it to the Office of the Privacy Commissioner of Canada and notify affected people as soon as feasible. We keep records of breaches for 24 months.
  • For Quebec, we report confidentiality incidents to Quebec's regulator, the CAI, and notify affected individuals where the law requires it.
  • For the EU and the UK, where a breach is reportable, we notify the relevant supervisory authority within the timeframe the applicable law sets, which is within 72 hours of becoming aware where the GDPR and UK GDPR apply, and we notify affected individuals where the risk to them requires it.

More detail on how we handle breaches is in our Privacy Policy.

AI security.

Our AI features, including the VYN AI teammate, are built to keep your content yours.

  • We keep customer data segregated by tenant, so one customer's content is not exposed to another.
  • We do not let third-party foundation model providers train their models on your content.
  • We do not train our own models on your content, and we do not fine-tune across tenants, without your written opt-in.
  • Where a model provider offers a zero-retention API tier for prompts, we use it for the features that support it, so prompts are not retained by the provider beyond what is needed to return a response.
  • We may use aggregated and de-identified data, which cannot reasonably be linked back to you, to run and improve the services.

Our full approach to AI, including disclosure and human review, is set out in our AI policy.

Compliance posture.

We build our practices to meet the privacy and data-protection laws that apply to us and our customers.

  • Canada: we handle personal information under PIPEDA, and, for Quebec residents, under Quebec's Law 25.
  • United States: we honour comparable rights for residents of states with a comprehensive privacy law, including California, and we honour Global Privacy Control browser signals as a valid opt-out.
  • Europe and the United Kingdom: where the GDPR and UK GDPR apply, we meet their security and processor obligations, including the requirement to apply security appropriate to the risk.

We align our AI governance with ISO/IEC 42001, the international standard for AI management systems, which covers governance, risk assessment, transparency, and continual improvement. Alignment is a signal of how we work. We are not certified to ISO/IEC 42001, and we do not claim to be.

Our SOC 2 status is [SOC 2 STATUS PLACEHOLDER]. We will update this page as that status changes, and where a report is available we will describe how to request it under a non-disclosure agreement.

Reporting a vulnerability.

If you find a security issue in our services, we want to hear about it. Email us at security@vyradata.com with enough detail to reproduce the issue.

We commit to good-faith researchers:

  • If you follow this policy, act in good faith, and avoid harm to people or data, we will not pursue legal action against you for your research.
  • Do not access, change, or delete data that is not yours, do not degrade our services, and do not disclose the issue publicly until we have had a reasonable chance to fix it.
  • Give us reasonable time to investigate and remediate before any public disclosure.

We acknowledge reports promptly and keep you updated as we investigate and fix the issue.

Business continuity.

We keep our services and your data resilient to disruption.

  • We back up production data on a regular schedule and store backups encrypted.
  • We keep a disaster-recovery plan for restoring service after a major disruption.
  • We test our recovery process on a regular basis and update the plan as our systems change.

Contact.

For security issues and vulnerability reports, email security@vyradata.com.

For privacy and data-rights requests, email privacy@vyradata.com.

For general and legal questions, email contact@vyradata.com.

We are based in Halifax, Nova Scotia, Canada.

Questions? contact@vyradata.com