Security & compliance

Built so your security team has fewer questions, not more.

Project Drive is operated under SOC 2 Type II controls, ready for HIPAA workloads under BAA, hosted in Canadian data centers, and aligned with Loi 25 and the GDPR. The detail below is what your procurement and IT teams will be asked to verify.

SOC 2 Type II

Annual audit covering security, availability, processing integrity, confidentiality, and privacy. Latest report available under NDA.

HIPAA-ready

BAA available for Enterprise plans. Aligned with the HIPAA Security Rule across administrative, physical, and technical safeguards.

Loi 25 / GDPR

Privacy program aligned with Quebec's Loi 25 and the GDPR. DPA available, with named privacy officer per request.

Hosted in Canada

Production data resides in Canadian regions by default. Customer-selected regions and customer-managed encryption keys available on Enterprise.

Data residency

Your data stays where your law says it stays.

Production tenants are pinned to a Canadian region by default. Enterprise customers can pin to a specific region and, if required, deploy into a private region under their own cloud account.

Default region: ca-central-1, with multi-AZ replication. Backups remain in-region.
Optional regions: EU (eu-west-3), US (us-east-1), and customer-private deployments on request.
Cross-region transfer: Disabled by default. No customer data is mirrored outside the contracted region without explicit written consent.
Subprocessor regions: All subprocessors operate in the same region as the primary tenant or are bound by region-locked DPAs.

Encryption

Encrypted at rest, in transit, and on backup.

AES-256 for data at rest. TLS 1.3 in transit. Per-tenant data keys, with optional customer-managed KMS for Enterprise.

At rest: AES-256 across application database, object storage, and backups.
In transit: TLS 1.3 enforced on all external endpoints; TLS 1.2 minimum for legacy clients.
Key management: Per-tenant data encryption keys, rotated annually. Optional customer-managed keys via AWS KMS or Azure Key Vault.
Secrets: Application secrets stored in HashiCorp Vault, rotated automatically.

Access controls

SSO, SAML, SCIM, RBAC — without surcharge surprises.

Identity is included on every paid tier. SCIM provisioning, SAML SSO, and granular role-based access are not behind an "enterprise add-on."

Single sign-on: SAML 2.0 against Okta, Microsoft Entra ID, Google Workspace, OneLogin, Ping. OIDC available.
Provisioning: SCIM 2.0 for user, group, and role lifecycle.
Roles: System and custom roles with field-level read/write controls. Permissions inherited along the hierarchy.
MFA: Enforced for all admin sessions; configurable per role for end users.
Session controls: Configurable session length, IP allowlisting, device-trust policies on Enterprise.

Audit & monitoring

Every change. Every actor. Every timestamp.

Audit logging is on by default for all paid tiers. Streamed to your SIEM on Enterprise — no separate "advanced audit" SKU.

Audit log: Field-level changes, logins, permission changes, exports, and admin actions. 13 months retained on Business; configurable on Enterprise.
Streaming: Webhook or AWS EventBridge stream to your SIEM (Splunk, Datadog, Sumo, Sentinel) on Enterprise.
Anomaly detection: Built-in alerting on impossible-travel logins, mass-export events, and permission escalations.

Backups & disaster recovery

RPO 5 minutes. RTO 4 hours. Tested quarterly.

We treat the recovery test plan like a release: run quarterly, results published to customers under NDA. No "we will get to it" backup story.

RPO / RTO: Recovery point 5 minutes, recovery time 4 hours for production-impacting events.
Backup cadence: Continuous WAL shipping plus daily snapshots. 35-day retention by default; 7 years available.
Tested: Full failover and restore tested every quarter. Latest test report available under NDA.
Customer exports: Self-serve export of all your data — projects, tasks, attachments, audit log — at any time.

Vulnerability management

Patched on a schedule, scanned continuously.

Static and dependency scanning on every commit. Annual third-party penetration test. Bug bounty program for responsible disclosure.

Scanning: SAST, dependency scanning, and container image scanning on every commit. DAST nightly against staging.
Penetration testing: Annual third-party pentest by a recognized firm. Executive summary available under NDA.
Patching SLA: Critical: 24 hours. High: 7 days. Medium: 30 days.
Disclosure: Responsible disclosure at security@project-drive.net. PGP key on request.

Subprocessors

A short list, kept current.

We minimize subprocessors on principle. The current list, the regions they operate in, and the data they handle are below. Customers are notified at least 30 days before any addition.

Subprocessor	Purpose	Region
Amazon Web Services	Primary infrastructure	ca-central-1
Cloudflare	DDoS protection, WAF, CDN	Global edge
Postmark	Transactional email	US (DPA in place)
Sentry	Application error monitoring	EU (eu-west-1)
Stripe	Billing for self-serve tiers	US (DPA in place)

Full subprocessor list, with current DPAs, is published at /legal/subprocessors.

Need this in a single PDF for procurement?

The Project Drive Security Overview covers everything on this page in a format your IT and legal teams can route internally.

Download PDF (1.2 MB) Request audit access

A real conversation with our security engineer.

If your procurement team has a 200-question RFP, we will sit on the call and answer it line by line. No legalese, no deflection.

Book a security review Email security