CSF / 2.0
NIST CSF 2.0
Govern, Identify, Protect, Detect, Respond, Recover. Released February 2024 — the first major revision in a decade. Our default control taxonomy.
Trust, documented.
The frameworks we operate against, the sub-processors we use, the SLAs we commit to. For the technical security posture of redactlabs.ca itself — a strict static CSP, HSTS, audit log handling — see /security/.
Frameworks we operate against
Compliance, by source.
We use these as the source-of-truth control set for client engagements and our own infrastructure. Where regulated clients need board-ready evidence, we map our work back to these frameworks.
CIS / V8
CIS Controls v8
18 control categories across three Implementation Groups. We typically scope IG2 for charities and growing SMBs, IG3 for regulated and high-revenue clients.
CSC / 13
CyberSecure Canada
Federal SMB certification baseline, administered by the Standards Council of Canada (CAN/CIOSC 104:2021). 13 baseline controls. We map every engagement to it.
PIPEDA
PIPEDA
Federal private-sector privacy law. We provide privacy-impact assessments, OPC-aligned breach response, and board-ready compliance documentation.
QC / LAW 25
Quebec Law 25
Modernized QC private-sector privacy. Privacy officers, mandatory PIAs, breach notification, GDPR-style consent. Penalties up to C$25M or 4% turnover.
ON / PHIPA
PHIPA
Ontario's Personal Health Information Protection Act. Specific consent, breach-notification, and record-keeping requirements for health information custodians.
Sub-processors
Who touches client data.
The infrastructure providers we use to deliver Redact Labs services. Listed up front so procurement teams do not have to ask. We maintain a longer, version-controlled DPA-annex on request.
| Sub-processor | Purpose | Data region |
|---|---|---|
| Cloudflare | Edge, DNS, WAF, Workers, R2 object storage | Global anycast; CA-resident KV/R2 where contracted |
| Resend | Transactional email delivery | United States |
| Microsoft 365 | Internal email, collaboration, document storage | Canada (data residency) |
| Proton Business Suite | Encrypted email (Proton Mail), secure file storage (Drive), calendar, VPN — privacy-first productivity stack | Switzerland / EU |
| Proton Pass Business | Credential vaulting and shared secrets | Switzerland / EU |
| GitHub | Source control for Worker templates and tooling | United States |
Engagement-specific sub-processors (the EDR, SIEM, identity, and backup tools we recommend for your environment) are scoped per engagement and listed in your statement of work. We never recommend a vendor whose referral fee we have not disclosed in writing.
Service-level commitments
Response times, committed.
By engagement type. Acknowledgement targets, not resolution targets — resolution depends on scope.
| Engagement | Acknowledge | Hours |
|---|---|---|
| Managed Cybersecurity — critical incident | 15 minutes | 24/7 |
| Managed Cybersecurity — standard | 1 business hour | Mon–Fri, 9–5 ET |
| Managed Service Desk — priority retainer | 1 hour | Business hours + after-hours |
| Managed Service Desk — standard retainer | 4 business hours | Mon–Fri, 9–5 ET |
| Security vulnerability reports | 72 hours | See /security/ |
| Sales / scoping enquiries | 1 business day | Mon–Fri, 9–5 ET |
Data handling
What we hold, and how long.
Form submissions
Stored in CA-region object storage with PII hashed at write time. 30-day retention, then purged. No free-text bodies in plaintext.
Edge access logs
IPs stored as /24 ranges only, never full addresses. 30-day retention. Used for rate-limiting and incident triage.
Client engagement data
Held in CA-region Microsoft 365 with conditional access, retained for the duration of the engagement plus 7 years for tax/audit, then purged.
Newsletter subscribers
Email address only. One-click unsubscribe in every send. Delivered via Resend with subscriber state in our own Workers KV (CA-region). Never sold, never shared.
For procurement teams
Need the full audit pack?
DPA, MSA template, sub-processor list, insurance certificates, and SOC-style control summary. Available under NDA for active and prospective enterprise clients.