ComplaiLite

Trust & Security

Your clients' data, handled properly.

ComplaiLite collects KYC questionnaire responses, a signed Client Agreement, and CASL consent. Here is exactly how that data is stored, protected, and retained.

Canadian data residency

Client data is stored at rest in Canada — AWS Montreal (ca-central-1). Two supporting services, application hosting and email delivery, operate from the US under contractual safeguards; stored data itself stays in Canada.

Encryption at rest and in transit

Data at rest is encrypted with AES-256. Data in transit uses TLS 1.2 or higher.

Per-broker data isolation

Each broker's client data is isolated through application-layer query scoping — every query is bound to the authenticated broker's account, so no broker can see another broker's clients.

Passwordless broker login

Broker accounts use magic-link authentication — no passwords are stored. Two-factor authentication (an authenticator app or a passkey) is available.

Seven-year retention

Completed client session records are retained for a minimum of seven years, supporting the federal FINTRAC five-year minimum and BC's longer retention period under the BCFSA framework.

No advertising, no tracking, no AI training

Client data is used only to deliver the compliance service to the broker. It is never used for marketing, analytics, ad targeting, or model training.

Breach response

If a security breach affects client data, HNDL notifies the affected broker promptly after confirming it. The broker handles any required regulatory reporting; HNDL provides the documentation and assistance needed. Full obligations are in our DPA.

What we store — and what we don't

Stored

  • KYC questionnaire responses
  • The signed Client Agreement (with timestamp)
  • CASL consent status and timestamp
  • Client name and email
  • Broker profile and branding

Not stored

  • Government ID images or numbers, biometrics — no identity verification
  • Broker passwords (passwordless login)
  • Payment or credit card information
  • Advertising or third-party tracking data
  • Anything used for AI training

Who is responsible for what

The broker is the data controller. They decide what client data is collected and why, and they are the point of contact for their clients' access and correction requests under PIPEDA.

HNDL Technology Inc. is the data processor. We store and process client data strictly on the broker's instructions, in order to deliver the compliance service — nothing more.

Questions about how we handle data?

Read the full Privacy Policy, or reach us directly.

support@hndl.app