Policies
Map.ca policy

Security Policy

How Map.ca protects accounts, infrastructure, secrets, and operational data day to day.

Security is a precondition for trust, not a feature. The Security Policy defines Map.ca’s operating standard for account security (MFA on admin, password discipline for users), data security (encryption at rest and in transit), infrastructure security (production access controls, secrets management, dependency hygiene), and operational security (monitoring, audit logging, vendor security review). PIPEDA’s safeguards principle is the regulatory floor; Map.ca’s practical bar is higher.

It applies to Map.ca engineering, security, operations, and to any vendor with production access. Production credentials in source control, shared admin accounts, and unmonitored access are non-starters.

Requirements

  • Encrypt personal and sensitive data at rest and in transit.
  • Enforce MFA on all admin accounts and on accounts with production access.
  • Rotate credentials on a documented schedule.
  • Monitor and audit-log production access continuously.

Prohibitions

  • Do not commit production credentials, secrets, or keys to source control.
  • Do not share admin accounts between people.
  • Do not provision production access without monitoring and audit logging.
  • Do not bypass security review for vendor integrations handling production data.

Related policies

Access Control PolicyHow internal access to production systems, user data, and admin functions is granted, reviewed, and revoked.Vendor Security PolicySecurity requirements Map.ca holds vendors to before, during, and after engagement.Incident Response PolicyHow Map.ca classifies, responds to, and communicates about security and operational incidents.Audit Logging PolicyWhat Map.ca logs for audit purposes, how those logs are protected, retained, and used.