✓ GDPR compliant by design✓ Multi-layer encryption⏳ ISO 27001 — In progress

Security by Design. Trust by Architecture.

Filvacy protects your data at every level: encryption in transit, at rest, and a dedicated encryption key per client file. When a file is deleted, the data becomes permanently and irreversibly inaccessible.

Encryption

Encryption & Data Isolation

Your data is encrypted in transit and at rest. Each client file has its own encryption key — complete isolation between your clients. Filvacy contractually commits to accessing data solely for the purpose of providing the service.

⚠️

Traditional Services

  • Shared encryption across all clients
  • Server-side encryption only
  • No isolation between client files
  • Deletion with no guarantee of complete erasure
🔒

Filvacy

  • Strong encryption at rest and in transit
  • Dedicated encryption key per client file
  • Permanent and irreversible deletion on request
  • Contractual commitment not to access your data

Security architecture

Encryption

AES-256-GCM

Data and files at rest

Transit

TLS 1.3

All communications

Isolation

Key per file

One file = one dedicated key

Deletion

Permanent

Immediately inaccessible

Note : When a client file is deleted, the encryption key specific to that file is immediately destroyed. The associated data becomes permanently inaccessible — even to Filvacy. Learn more →

Compliance

Certifications & Regulatory Compliance

🇪🇺

GDPR (Europe)

Compliant with the General Data Protection Regulation (EU 2016/679).

  • Data minimization
  • Right to erasure
  • Audit logs
See our privacy policy →
🍁

Law 25 (Québec)

Compliant with the Act respecting the protection of personal information in the private sector (Law 25).

  • Consent to collection
  • Configurable minimum retention
  • Automatic deletion
  • Designated privacy officer
  • Right of access and rectification

ISO 27001:2022

Information security management — certification in progress.

  • ISMS (Information Security Management System)
  • Internal audit being structured
  • Using CISO Assistant (GRC)
External audit planning in progress
🌍

Multi-Region Hosting

Your data stays in your jurisdiction — by design, not as an option.

  • filvacy.ca — Canada (Montréal)
  • filvacy.com — États-Unis (Virginie)
  • filvacy.eu — Europe (Francfort)

No inter-region transfers by default.

Security

Technical Security Measures

🔐

Authentication

  • MFA mandatory for teams
  • Authentication via single-use secure link for clients
  • Role-based access control (RBAC)
  • Time-limited sessions
📋

Logging & audit

  • Audit log of sensitive actions
  • Document access traceability
  • Event timestamping
  • Log retention
🛡️

Infrastructure

  • Encryption at rest (AES-256)
  • TLS 1.3 for all communications
  • DDoS protection (DigitalOcean Managed)
  • Automatic security updates
⏱️

Retention & deletion

  • Configurable automatic deletion per portal
  • Permanent purge after cancellation (15 days)
  • Storage and database-side deletion
  • No hidden copy retention
🔔

Monitoring

  • Continuous operational monitoring
  • Periodic security reviews
📁

File storage

  • Managed object storage (Supabase Storage)
  • Access via time-limited signed URLs
  • Per-organization isolation
  • No direct access to raw files

Data Protection

Your Data Rights

In accordance with GDPR, Law 25 and PIPEDA, you have the following rights as a Filvacy user.

👁️

Access

Obtain a copy of all your personal data processed by Filvacy.

✏️

Rectification

Correct any inaccurate information about you.

🗑️

Erasure

Request deletion of your account and all your data.

📦

Portability

Export your data in a standard format from your dashboard.

⏸️

Restriction

Restrict the processing of your data in certain circumstances.

🙋

Objection

Object to certain processing based on legitimate interest.

Note for organization clients: If you are the end client of a professional using Filvacy, your rights (access, rectification, deletion) must be exercised directly with that professional, who is the data controller. Filvacy, as a technical processor, cannot process these requests on your behalf.
Exercise your rights →

Transparency

Subprocessors

Filvacy uses carefully selected subprocessors, all compliant with GDPR requirements.

ProviderRoleCertifications
SupabaseDatabase & storageSOC 2 Type II, ISO 27001
DigitalOceanHostingSOC 2 Type II, ISO 27001
StripePaymentsPCI DSS Level 1, SOC 1 & 2 Type II
ResendTransactional emailsSOC 2 Type II, RGPD conforme
SentryError monitoringSOC 2 Type II, ISO 27001

This list is kept up to date. For any questions about our subprocessors, use our contact form.

Documentation

Transparency & Legal Documentation

📄

Legal Documents

🔐

Security

  • Report a vulnerability:

    Report via the form →

  • We are committed to responding to any responsible disclosure within 5 business days.

Responsible Disclosure Policy
📬

Contacts

Our commitments

🇪🇺GDPR compliant
🍁Law 25 (Québec)
🔒Multi-layer encryption
🌍Multi-region hosting
ISO 27001 — In progress
🛡️TLS 1.3 + AES-256

Also available in:

FrançaisEspañol
Politique de confidentialitéConditions d'utilisation← Back to home