Sovereign residency
Personal data is stored and processed in the customer's preferred jurisdiction. Canada by default, or another sovereign region when the customer requires it. Vendors and tools that cannot meet residency requirements are not used.
ResolveHD operates where the consequences of getting data wrong are operational, not theoretical. Health authorities, defence organizations, public-sector teams, and emergency services use our platform to make decisions that affect real people. The trust required to do that work isn’t claimed. It’s engineered, documented, and verifiable.
Four commitments govern every feature, every customer engagement, every vendor.
Personal data is stored and processed in the customer's preferred jurisdiction. Canada by default, or another sovereign region when the customer requires it. Vendors and tools that cannot meet residency requirements are not used.
Clients determine what data is collected, the purpose, and the retention period. We process it on documented instructions. Your data is never used to train our models, never combined across tenants, never sold or shared.
Every new feature, customer engagement, and vendor that touches personal data undergoes a risk assessment — data handling, security controls, regulatory alignment, operational risk. A gate, not a checkbox.
Audits in progress are described as in progress. Frameworks we align to without certification are described as alignment. We say what is true, including when it isn’t flattering.
Your data. Your jurisdiction. Your terms.
ResolveHD is the engine. The customer is the driver. We act as a data processor for everything collected through our applications and services, and as an agent of the data custodian under provincial health privacy legislation where it applies. The only data we control is limited information from this corporate website, especially contact submissions and analytics.
Infrastructure runs on Microsoft Azure (Canada Central / Canada East) and AWS (ca-central-1). PHI sits in a dedicated, encrypted vault with scoped access. Our customers operate under PIPEDA, provincial health privacy law, Quebec Law 25, and DND obligations — none of those frameworks negotiate on residency. Neither do we.
Auditable by design.
Security at ResolveHD is structured, owned, and auditable. Eight policy domains, mapped to NIST SP 800-53 and SOC 2 Trust Services Criteria. Each has documented policy, named owners, and operational evidence, reviewed annually by the CISPO.
Built for the regulations our customers operate under.
Health, defence, public sector, and emergency services operate under frameworks that don’t accommodate generic compliance postures. Ours is built specifically to those frameworks: what we align to, our current audit status, the obligations we accept.
Each policy in our library carries explicit tags identifying the NIST 800-53 control families it satisfies, the SOC 2 trust criteria it supports, the PIPEDA principles it implements, and the customer-specific obligations (PHIA, DND, FOIPOP) it covers. That mapping is what lets us answer audit and RFP questions with documented evidence rather than assertion.
The public summary above is complete in itself. For reviewers who need the operational evidence, the following are available to customers and prospects upon request.
Detailed inventory of controls mapped to NIST SP 800-53 and SOC 2 Trust Services Criteria. The document customers send to their auditors.
Our standard DPA, including terms, sub-processor list, breach protocol, and data return and deletion procedures.
A single portal containing our controls inventory, certifications, sub-processor list, audit reports, and live security posture. Reviewed and updated continuously, with the same evidence we provide to auditors.