.png)
Access to SuperAdvisor systems is governed by layered controls designed to protect against unauthorized use. Multi-factor authentication (MFA) is required for all accounts, and we employ an adaptive MFA strategy that adjusts the strength of authentication based on contextual risk signals, such as device reputation, network location, and unusual login patterns. This adaptive approach minimizes friction for legitimate users while introducing heightened security measures when potential risks are detected.
Identity management is handled exclusively by trusted providers, ensuring that authentication flows are both secure and standards-compliant. Role-based access control (RBAC) ensures that individuals can access only the information necessary for their role, and access is granted according to the principle of least privilege. Sessions and tokens are securely managed to reduce exposure risk and limit opportunities for misuse.
Authentication and authorization are also a dedicated focus of our secure development review process. Every code change must pass a security review checklist, which includes both manual review of authentication and access management logic and automated testing using security analysis tools. This ensures that identity and access protections remain consistent and uncompromised throughout the lifecycle of our applications.
Super Advisor embeds security into every stage of the development process. Code changes are reviewed for compliance with security standards aligned with OWASP Top 10 and the Application Security Verification Standard (ASVS). Automated static application security testing (SAST) is applied to every change before merge, helping us catch vulnerabilities such as injection flaws or insecure configurations early. In addition, annual dynamic application security testing (DAST) is conducted by certified external penetration testers to provide independent assurance that our applications withstand real-world attack scenarios. By combining automated controls with human expertise, we ensure that our development process consistently delivers resilient, secure systems.
Client data is protected with the highest standards of encryption and resiliency. All data is encrypted in transit using TLS 1.2 or higher, and at rest using AES-256 encryption. Keys are stored securely, rotated regularly, and managed according to best practices. Our encryption strategy ensures confidentiality, integrity, and regulatory compliance across all data-handling operations.
Data residency is equally important: all client data managed internally by SuperAdvisor is stored exclusively within Canada. This ensures compliance with data sovereignty requirements and provides clients with transparency on where their information resides.
For payment card data, Super Advisor never directly stores or processes cardholder information. Instead, we rely on Stripe, a PCI DSS Level 1 compliant payment processor, to manage all payment transactions securely. This ensures that the most stringent security controls for payment data are applied, while insulating clients from the risks of direct handling by our platform.
SuperAdvisor’s AI & LLM policy extends our core data practices by requiring data encryption, prohibiting the use of customer inputs for model training, and maintaining the same strict data residency standards.
SuperAdvisor currently leverages OpenAI's GPT large language models through Microsoft Azure's OpenAI Service, rather than the public OpenAI API. This setup provides the same powerful AI while adding enterprise-level compliance and privacy protections.
Because we use Azure's OpenAI Service, prompts and responses are never fed back into the model for training. Microsoft contractually guarantees that data sent through Azure OpenAI is only used to generate results, not to improve the model itself.
Requests are processed entirely within Canada, ensuring your data stays in-region and meets residency and sovereignty requirements. Azure OpenAI Service inherits Microsoft's compliance portfolio (SOC, ISO, GDPR, HIPAA, and more), providing the same assurances enterprises rely on for sensitive workloads.
Super Advisor maintains continuous monitoring of its infrastructure and applications to detect suspicious activity in real time. Logs are centralized, retained securely, and reviewed for anomalies that may indicate threats or misuse. Automated alerts notify our team of unusual or suspicious activity, allowing us to respond quickly before issues escalate. Monitoring controls are continuously improved to adapt to evolving security risks.
We maintain a formal incident response plan that defines severity levels, escalation paths, and clear response timelines. Severe incidents are acted upon immediately, with acknowledgment and response beginning within hours. Clients and regulators are notified promptly if their data may be impacted. After every incident, a root cause analysis and post-incident review are conducted, ensuring that lessons learned are translated into improved security practices and stronger safeguards.
Because client data security extends beyond our own systems, SuperAdvisor holds all vendors and partners to the same rigorous standards. Each vendor undergoes an annual risk assessment against recognized frameworks, and service agreements require strong encryption, access control, and breach notification protocols. Vendors are contractually obligated to notify us quickly — typically within 24 hours — if a data breach is suspected. By carefully selecting and monitoring our partners, we ensure that data protections remain robust throughout the full service ecosystem.
We recognize that people are often the first line of defense. All employees receive mandatory security training during onboarding and refresher training annually. Phishing simulations and awareness campaigns are conducted regularly to reinforce best practices for handling sensitive data and recognizing threats. Employees must access company systems only from trusted, secured devices, and endpoint protection policies are enforced across all work-related equipment.
SuperAdvisor has a comprehensive business continuity and disaster recovery strategy to ensure resilience in the face of unexpected events. Internally managed data is backed up daily, with recovery procedures tested regularly. Our disaster recovery processes are designed to meet defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO), minimizing downtime and data loss. In the event of a system outage or catastrophic failure, we are prepared to restore availability quickly and securely, safeguarding client trust and ensuring uninterrupted access to critical services.
SuperAdvisor’s policies and procedures are aligned with PIPEDA and other applicable financial data protection requirements. Our security posture is informed by best practices from OWASP, PCI DSS, and global data protection standards. For payments, compliance with PCI DSS is managed entirely through Stripe, ensuring that cardholder data is handled according to the highest certification level available. We conduct regular internal and external reviews to validate our compliance posture and to continually strengthen our controls.
Our commitments are further detailed in our Privacy Policy and Terms of Service.
