SECURITY & COMPLIANCE

Enterprise-Grade Security Infrastructure

At Investigative Risk Management, security is foundational to everything we do. When you trust us with sensitive investigations and services, you're entrusting us with your most critical information.

Cloud-First Security Architecture

Our Approach:

IRM operates on a fully cloud-based, managed technology stack. We intentionally chose cloud-first architecture to leverage enterprise-grade security infrastructure with independent third-party assurance.

Vendor Selection Criteria:

Every cloud service provider in our technology stack is selected based on:

  • Independent Security Assurance - SOC 2 Type II certification (or equivalent)

  • Security Capabilities - Encryption, access controls, logging, monitoring

  • Compliance Alignment - Canadian privacy and data protection requirements

  • Resilience & Availability - Uptime commitments and disaster recovery

  • Audit Rights - Security documentation and audit report availability

Third-Party Assurance:

The cloud services used to store, process, or transmit IRM business and client information maintain SOC 2 Type II reports (or equivalent independent assurance) within the scope of services utilized by IRM.

IRM operates on independently-assured infrastructure. Our cloud service providers maintain SOC 2 Type II certification. IRM's internal security controls and governance practices are documented separately and available for review under NDA.

Security Controls Overview

Our security program incorporates controls aligned to SOC 2 Trust Services Criteria:

Security

  • Multi-factor authentication (MFA) for administrative and critical system access

  • Role-based access control with least privilege principles

  • Managed endpoint protection with encryption on all corporate devices

  • Formal onboarding/offboarding procedures for access provisioning

Availability

  • Cloud services with enterprise SLAs (99.9%+ uptime)

  • Data redundancy and business continuity capabilities

  • Automated backup of critical systems and client deliverables

  • 24/7 monitoring for critical security services

Confidentiality

  • TLS 1.2+ encryption for all data in transit

  • AES-256 encryption for data at rest within cloud platforms

  • Permission-based sharing with granular access controls

  • Full-disk encryption on all corporate devices

Processing Integrity

  • Version control and change tracking for client deliverables

  • Multi-person review for critical outputs

  • Cryptographic hashing for forensic evidence verification

  • Access logging to detect unauthorized modifications

Privacy

  • Processing aligned with Canadian privacy laws (PIPEDA)

  • Access limited to authorized personnel with business need

  • Breach notification procedures per legal requirements

  • See our [Privacy Policy] for complete details

Vendor Security Governance

Technology Stack Management:

IRM maintains active governance over all cloud service providers:

  • Security configuration standards applied across platforms

  • Access control baselines enforced consistently

  • Logging and monitoring requirements validated

  • Periodic security reviews of vendor posture and assurance documentation

  • Vendor risk assessments for new service providers

Transparency Note:

Provider SOC 2 reports apply to the service providers' audited environments. IRM's internal security controls and operational practices are documented separately and available for review under NDA.

IRM does not publicly disclose specific vendor identities. This approach reduces security risk (supply chain targeting, reconnaissance) while supporting thorough procurement review via controlled disclosure.

Security Monitoring & Incident Response

Continuous Monitoring:

  • Centralized logging across cloud platforms

  • Security information and event management (SIEM)

  • Real-time alerting for security events

  • Regular review of access patterns

Incident Response:

  • Documented incident response plan

  • Internal escalation procedures

  • Client notification aligned with contractual obligations

  • Post-incident review and improvement

Security Documentation Available

Subject to NDA, IRM can provide:

  • Information Security Overview - Security program and controls summary

  • Third-Party Assurance Confirmation - SOC 2 Type II coverage verification (under NDA)

  • Incident Response Summary - Response capabilities and procedures

  • Access Control Overview - Authentication and access management controls

  • Security Questionnaire Responses - Customized responses to vendor assessments

Why Cloud-First Security

IRM's Cloud Advantages:

  • Enterprise-grade security without capital infrastructure investment

  • Automatic security updates and patch management

  • Independent third-party security audits (SOC 2)

  • High availability and data redundancy built-in

  • Continuous monitoring and threat detection

  • Scalable security aligned to business growth

Security Contact

For security inquiries, procurement reviews, or to request documentation:

Contact: https://irmi.ca/contact
Phone: 1 (855) 384-4764

For information about data privacy practices, see our [Privacy Policy]. For service terms and conditions, see our [Terms of Service].