Security
Last updated: September 20, 2025
We design for reliability and defense-in-depth. This page outlines core practices and how to report potential security concerns.
Encryption
- Transport Layer Security (TLS) for data in transit.
- Encryption at rest for primary data stores and backups.
Access controls
- Role-based access with least privilege for staff systems.
- Multi-factor authentication and hardware security keys where supported.
- Audit logging for sensitive actions.
Development practices
- Peer review and CI checks for changes in critical paths.
- Dependency management with vulnerability monitoring and timely updates.
- Secrets management with rotation and environment segregation.
Infrastructure
- Segregated environments for development, staging, and production.
- Network-level protections, DDoS mitigation, and rate limiting.
- Backups and tested recovery procedures.
Incident response
We maintain an incident response process with detection, triage, containment, remediation, and post-incident review. Customers are notified of material incidents in accordance with legal and contractual obligations.
Responsible disclosure
If you believe you have found a security vulnerability, please email admin@whif.ca with details and steps to reproduce. Do not publicly disclose without reasonable time for remediation.
Compliance
See our Compliance page for information about standards, policies, and data governance.