Back to Home

Security Documentation

Enterprise-grade security infrastructure protecting your Canadian mortgage data with industry-leading controls and regulatory compliance.

9.2/10 Security Rating
ISO 27001 SOC 2 Type II PCI DSS PIPEDA OSFI B-20 FINTRAC
47/47
Controls Passing
100%
Compliance Rate
AES-256
Encryption Standard
24/7
Real-time Monitoring

Access Control & Authentication

Multi-layered authentication and authorization framework

Role-Based Access Control (RBAC)

Granular permission system with 7 distinct roles controlling access to sensitive operations.

ADMIN, PRINCIPAL_BROKER, UNDERWRITER, BROKER, REVIEWER, VIEWER, SYSTEM
Action Gate workflow enforcement
Graduated Autonomy System

Session Security

Advanced session management with automatic timeout and concurrent session limits.

30-minute idle timeout
Auto-extension at 15-minute threshold
Maximum 5 concurrent sessions per user

CSRF Protection

Token-based cross-site request forgery prevention with automatic validation.

Cryptographically secure tokens
1-hour token expiry
Automatic token cleanup

Run Mode Security

Environment-based security with DEMO, SHADOW, and LIVE operational modes.

LIVE mode requires full authentication
SHADOW mode for testing
DEMO mode with sample data

Multi-Tenant Isolation

Complete data isolation between tenants with Row Level Security (RLS).

PostgreSQL RLS policies
Tenant-scoped encryption keys
Cross-tenant access prevention

Case Locking

Exclusive edit locks prevent concurrent modifications to sensitive case data.

Pessimistic locking strategy
Automatic lock expiry
Lock audit trail

Data Encryption

Military-grade encryption for data at rest and in transit

AES-256-GCM Encryption

All sensitive documents encrypted with authenticated encryption providing confidentiality and integrity.

256-bit key length
Galois/Counter Mode authentication
Random IV per encryption

Scrypt Key Derivation

Memory-hard key derivation function protecting against brute-force attacks.

Per-tenant encryption keys
High memory cost (N=16384)
Parallelization factor: 1

SHA-256 Integrity

Cryptographic hash verification ensures document integrity and tamper detection.

Document fingerprinting
Tamper detection alerts
Audit bundle verification

TLS/HSTS Transit Security

All data transmitted over encrypted HTTPS with strict transport security headers.

TLS 1.3 preferred
HSTS with 1-year max-age
includeSubDomains enabled

Email Credential Encryption

SMTP credentials stored with AES-256-GCM encryption for email integration security.

App password support
OAuth token encryption
Secure credential rotation

Canadian Cloud Storage

Documents stored in Canadian-region cloud providers for FINTRAC/PIPEDA compliance.

GCS, Azure, S3, Box, Sync.com, ThinkOn
Canadian region enforcement
User-owned storage

Audit Logging & Compliance

Comprehensive audit trails for regulatory compliance

Case Timeline Events

Server-authored, audit-grade event logging with complete action history.

Immutable event records
User attribution
Timestamp verification

Lender Defensible Export

14-section audit bundle for regulatory compliance and lender requirements.

Decision trace documentation
Evidence snapshots
SHA-256 integrity hashing

FINTRAC Reporting

Automated STR/LCTR/LPEPR generation with configurable thresholds and XML export.

Suspicious Transaction Reports
Large Cash Transaction Reports
Automatic trigger detection

Rule Replay Capability

Point-in-time decision recreation with EXACT, CURRENT_POLICY, and COMPARE modes.

Policy version snapshots
Input/output capture
Comparison reporting

Principal Broker Supervision

10% file audit sampling with supervision checklists and exception workflows.

Random file selection
Two-person approval
Compliance alerts

PIPEDA Consent Management

Privacy consent tracking with audit trails and withdrawal mechanisms.

Consent version tracking
Withdrawal processing
Data retention policies

Input Validation & API Security

Defense-in-depth protection against common attack vectors

Zod Schema Validation

Type-safe runtime validation for all API inputs with detailed error messages.

Schema-first validation
Type coercion prevention
Strict mode enforcement

SQL Injection Prevention

Pattern-based detection and parameterized queries prevent SQL injection attacks.

Recursive input scanning
Pattern blocklist
Parameterized queries only

XSS Protection

HTML entity encoding and Content Security Policy headers prevent cross-site scripting.

HTML entity encoding
Content Security Policy
X-XSS-Protection header

Tiered Rate Limiting

Multi-tier rate limiting protects against abuse and denial-of-service attacks.

Global: 1000 requests/15min
Auth: 20 requests/15min
Webhooks: 200 requests/min

Helmet Security Headers

Comprehensive HTTP security headers protect against common web vulnerabilities.

X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin

Idempotency Tokens

Request deduplication prevents double-processing of critical operations.

UUID-based tokens
24-hour token validity
Automatic cleanup

Anomaly Detection & Monitoring

Real-time security monitoring and threat detection

Brute Force Detection

Automatic detection of repeated failed login attempts with progressive lockout.

Threshold: 5 failures/hour
IP-based tracking
Automatic CRITICAL alerts

High Volume Detection

Identifies unusual request patterns that may indicate automated attacks.

Threshold: 500 requests/hour
Per-source tracking
HIGH severity alerts

Sensitive Endpoint Monitoring

Enhanced monitoring for critical endpoints like authentication and admin routes.

Threshold: 3 failures
Auth, admin, API routes
HIGH severity alerts

Alert Severity Levels

Four-tier alert system ensures appropriate response to security events.

CRITICAL: Immediate action
HIGH: Urgent review
MEDIUM/LOW: Monitoring

Real-time Alert Storage

Security alerts stored in database with full context for investigation.

PostgreSQL-backed storage
Full request context
Resolution tracking

Circuit Breakers

Automatic service isolation when external dependencies become unhealthy.

Failure threshold monitoring
Automatic recovery
Graceful degradation

Fraud Detection & Prevention

AI-powered fraud detection across multiple vectors

DocGuard AI Verification

AI-powered document analysis detects forgeries, alterations, and inconsistencies.

8-category fraud scan
PDF metadata analysis
Confidence scoring

Employment Letter Intelligence

Advanced analysis of employment documents with fraud pattern recognition.

Employer verification
Income consistency checks
Template fraud detection

Application Stacking Detection

Identifies concurrent applications across multiple lenders.

Cross-lender matching
Timeline analysis
Risk scoring

Non-Arms Length Detection

Identifies related-party transactions requiring enhanced due diligence.

Relationship mapping
Address matching
Name similarity analysis

Document Freshness Validation

Ensures documents are within acceptable age thresholds for underwriting.

30/60/90 day thresholds
Document type rules
Expiry warnings

FINTRAC Third-Party Determination

Automatic identification of third-party involvement in transactions.

Beneficial ownership tracking
Source of funds verification
PEP/sanctions screening

Security Architecture

Layered defense architecture with defense-in-depth

Edge Layer
TLS 1.3 HSTS Rate Limiting CORS Helmet Headers
Application Layer
CSRF Protection Session Security Zod Validation XSS Prevention SQL Injection Prevention
Authentication
OpenID Connect RBAC Session Timeout Concurrent Session Limits Magic Links
Data Layer
AES-256-GCM Row Level Security Tenant Isolation Scrypt Key Derivation SHA-256 Integrity
Monitoring
Anomaly Detection Brute Force Detection Security Alerts Audit Logging Circuit Breakers
Compliance
FINTRAC PIPEDA OSFI B-20 ISO 27001 SOC 2 PCI DSS

Security Controls Summary

Complete list of implemented security controls

Category Control Implementation Status
Access Control Role-Based Access Control 7 roles with granular permissions Active
Access Control Session Security 30-min timeout, 5 concurrent limit Active
Access Control CSRF Protection Token-based with 1hr expiry Active
Encryption Data at Rest AES-256-GCM Active
Encryption Data in Transit TLS 1.3 + HSTS Active
Encryption Key Derivation Scrypt per-tenant keys Active
Input Validation Schema Validation Zod type-safe validation Active
Input Validation SQL Injection Prevention Pattern detection + parameterized queries Active
Input Validation XSS Prevention HTML encoding + CSP Active
Rate Limiting Global Rate Limit 1000 requests/15min Active
Rate Limiting Auth Rate Limit 20 requests/15min Active
Monitoring Anomaly Detection Real-time pattern analysis Active
Monitoring Brute Force Detection 5 failures/hour threshold Active
Audit Case Timeline Events Immutable event logging Active
Audit Lender Defensible Export 14-section audit bundle Active
Compliance FINTRAC Reporting STR/LCTR/LPEPR generation Active
Compliance PIPEDA Consent Privacy consent management Active

Security is Our Foundation

The X-22 Underwriter Gateway is built from the ground up with security as a core principle. Every feature, every integration, and every line of code is designed to protect your sensitive mortgage data while maintaining the highest standards of Canadian regulatory compliance.

Last Security Audit: January 30, 2026 | Audit Score: 9.2/10 | Controls: 47/47 Passing