Trust and Compliance

Compliance

Meeting and exceeding regulatory requirements to earn and maintain your trust.

Last updated: January 23, 2026

Our Compliance Commitment

At ZAICORE, compliance is not just about meeting minimum requirements; it is about building a trustworthy foundation for protecting your identity. We are committed to adhering to applicable laws, regulations, and industry best practices across all jurisdictions where we operate.

As a Canadian company, we prioritize compliance with Canadian privacy legislation while also preparing for international expansion with a global compliance mindset.

Certifications and Standards

Compliant

PIPEDA

Personal Information Protection and Electronic Documents Act

We fully comply with Canada's federal privacy law governing how private sector organizations collect, use, and disclose personal information. Our practices meet all ten fair information principles outlined in PIPEDA.

In Progress

SOC 2 Type II

Service Organization Control 2

We are actively pursuing SOC 2 Type II certification, with expected completion in Q3 2026. Our controls already meet the Trust Service Criteria for Security, Availability, Confidentiality, and Privacy.

Compliant

CASL

Canada's Anti-Spam Legislation

All our electronic communications comply with CASL requirements, including proper consent management, clear identification, and easy unsubscribe mechanisms.

Q2 2026

GDPR Readiness

General Data Protection Regulation

In preparation for our global expansion in Q2 2026, we are implementing GDPR-compliant processes for EU users, including data subject rights, consent management, and data protection impact assessments.

PIPEDA Compliance

PIPEDA establishes ten fair information principles that we follow rigorously:

1

Accountability

We have designated a Privacy Officer responsible for our compliance and have implemented policies and practices to protect personal information.

2

Identifying Purposes

We identify and document the purposes for collecting personal information at or before the time of collection.

3

Consent

We obtain meaningful consent for the collection, use, and disclosure of personal information, except where permitted by law.

4

Limiting Collection

We collect only the personal information necessary for the purposes we have identified.

5

Limiting Use, Disclosure, and Retention

Personal information is used only for the purposes for which it was collected and is retained only as long as necessary.

6

Accuracy

We maintain personal information as accurate, complete, and up-to-date as necessary for the identified purposes.

7

Safeguards

We protect personal information with security safeguards appropriate to the sensitivity of the information.

8

Openness

We make information about our privacy policies and practices readily available.

9

Individual Access

Upon request, individuals can access their personal information and challenge its accuracy and completeness.

10

Challenging Compliance

Individuals can challenge our compliance with these principles to our Privacy Officer.

Industry Best Practices

Beyond regulatory compliance, we adhere to industry best practices and standards:

  • OWASP Top 10: Our development practices address the OWASP Top 10 security risks.
  • NIST Cybersecurity Framework: Our security program aligns with NIST CSF guidelines.
  • CIS Controls: We implement critical security controls recommended by the Center for Internet Security.
  • ISO 27001 Alignment: Our information security management practices follow ISO 27001 principles.
  • Privacy by Design: We incorporate privacy considerations from the earliest stages of product development.

Data Residency

We understand the importance of data sovereignty and residency:

  • Primary Storage: Customer data is stored in Canadian data centers.
  • Backup Locations: Encrypted backups are maintained in geographically separate Canadian facilities.
  • International Transfers: When data must be transferred outside Canada (e.g., for certain service providers), we ensure appropriate safeguards through contractual agreements.
  • Transparency: We clearly disclose data processing locations in our Privacy Policy.

Vendor and Third-Party Compliance

We hold our vendors to the same high standards we set for ourselves:

  • Security Assessments: All vendors undergo security and privacy assessments before engagement.
  • Data Processing Agreements: Vendors handling personal data sign comprehensive DPAs.
  • Ongoing Monitoring: We regularly review vendor compliance and security posture.
  • SOC 2 Preference: We prefer vendors with SOC 2 or equivalent certifications.
  • Access Limitations: Vendors receive only the minimum access necessary for their function.

Audits and Reporting

We maintain transparency through regular audits and reporting:

  • Internal Audits: Quarterly internal compliance and security reviews.
  • External Audits: Annual third-party security audits and penetration testing.
  • SOC 2 Audit: Independent auditor assessment of our controls (in progress).
  • Incident Reporting: Prompt reporting of security incidents as required by law.
  • Privacy Breach Notification: Notification to affected individuals and authorities within 72 hours of a qualifying breach.

Compliance Roadmap

Our ongoing compliance initiatives:

Q1 2026

Complete SOC 2 Type I audit

Q2 2026

GDPR compliance for EU expansion

IP
Q3 2026

SOC 2 Type II certification

P
Q4 2026

ISO 27001 certification preparation

P

Legend: Checkmark = Complete, IP = In Progress, P = Planned

Compliance Questions

For questions about our compliance practices or to request compliance documentation, please contact us:

ZAICORE Compliance Team

Email: zachary@zaicore.com

Or book a call with our team.