Campaign data is among the most sensitive information in Canadian democracy. We built RidingDesk with security as a foundational principle — not an afterthought. Every layer of our stack is designed to protect your voters, your team, and your campaign.
Our infrastructure is built on AWS's most secure Canadian region, with multiple layers of defence protecting your data around the clock.
All data is hosted exclusively in AWS ca-central-1 (Montreal). Your campaign data never leaves Canadian soil, ensuring compliance with federal and provincial data sovereignty requirements.
All stored data is encrypted using AES-256 encryption, the same standard used by the Canadian government and financial institutions. Database volumes, backups, and object storage are all encrypted by default.
Every connection to RidingDesk is secured with TLS 1.3, the latest and most secure transport protocol. We enforce HTTPS everywhere and use HSTS to prevent downgrade attacks.
Our infrastructure and processes are designed to meet SOC 2 Type II requirements. We are actively pursuing certification and conduct regular third-party audits of our security controls.
Security is embedded in every stage of our development process, from design through deployment and ongoing monitoring.
Our application is built with defences against the OWASP Top 10 vulnerabilities, including SQL injection, cross-site scripting (XSS), broken authentication, and security misconfiguration.
We engage independent Canadian security firms to perform penetration testing on a quarterly basis. Findings are triaged within 48 hours and critical issues are patched immediately.
Automated dependency scanning runs on every build. We monitor for known vulnerabilities in third-party packages and apply security patches within our SLA of 72 hours for critical CVEs.
All code undergoes mandatory peer review, static analysis, and automated security testing before deployment. Our CI/CD pipeline enforces security gates that block vulnerable code from reaching production.
Granular access controls, comprehensive logging, and strict data isolation ensure that sensitive campaign information stays protected.
Six granular roles — Campaign Manager, Field Director, Organizer, Canvasser, Data Analyst, and Viewer — ensure team members only access the data they need. Permissions are enforced at the API level.
Every action in RidingDesk is logged with timestamps, user identity, IP address, and the specific change made. Audit logs are immutable and retained for the duration required by Elections Canada.
Sessions expire after configurable periods of inactivity (default: 30 minutes). Concurrent session limits prevent unauthorized access, and administrators can force-terminate any active session.
Each campaign operates in a logically isolated environment. Strict tenant separation ensures that one campaign can never access another campaign's voter data, communications, or analytics.
Multiple layers of authentication security protect your campaign accounts from unauthorized access.
MFA is available for all accounts and can be enforced organization-wide by Campaign Managers. We support TOTP-based authenticator apps (Google Authenticator, Authy) and hardware security keys (FIDO2/WebAuthn).
Passwords are hashed using bcrypt with a high work factor. We never store plaintext passwords. Password policies enforce minimum length, complexity requirements, and check against known breached password databases.
Configurable session timeouts with automatic lockout after failed login attempts. Suspicious login activity (unusual location, new device) triggers additional verification steps and alerts to account administrators.
API access uses short-lived JWT tokens with automatic rotation. API keys are scoped to specific permissions and can be revoked instantly. All API calls are rate-limited and logged.
RidingDesk is built to meet the complex web of federal and provincial privacy legislation that governs Canadian political campaigns.
Personal Information Protection and Electronic Documents Act
RidingDesk is designed from the ground up to comply with PIPEDA. We implement all 10 fair information principles, provide data subject access mechanisms, and maintain a dedicated Privacy Officer.
Freedom of Information and Protection of Privacy Act
For campaigns interacting with provincial government data, our controls satisfy FIPPA requirements across all provinces where it applies.
Canada Elections Act Requirements
We meet the data handling, retention, and disposal requirements outlined by Elections Canada for voter contact information, contribution records, and campaign communications.
PIPA (AB/BC), ATIPPA (NL), and other provincial legislation
Our platform accounts for the patchwork of provincial privacy legislation across Canada, with configurable controls to meet jurisdiction-specific requirements.
We are actively pursuing SOC 2 Type II certification, the gold standard for SaaS security assurance. This involves a rigorous, independent audit of our security controls, availability, processing integrity, confidentiality, and privacy practices over a sustained observation period.
Our incident response plan is tested regularly and designed to minimize impact and maximize transparency.
In the event of a confirmed security incident that may affect your data, we will notify affected campaigns within 24 hours. Our notification will include the nature of the incident, what data may have been affected, what we are doing to resolve it, and what steps you should take. This exceeds the requirements of PIPEDA's mandatory breach notification provisions.
Our on-call security team operates 24/7 with a 15-minute response time SLA for critical alerts. The response team includes senior engineers, our Privacy Officer, and communications staff to ensure incidents are resolved quickly and transparently. Post-incident reviews are conducted within 72 hours and findings are shared with affected parties.
We value the security research community and encourage responsible disclosure of any vulnerabilities you discover. If you believe you have found a security issue in RidingDesk, please contact us immediately.
Report vulnerabilities to
[email protected]We ask that you give us a reasonable period to address the issue before any public disclosure. We will acknowledge your report within 24 hours, provide an initial assessment within 72 hours, and keep you informed throughout the remediation process. We do not pursue legal action against researchers acting in good faith.
Our team is happy to discuss our security practices in detail, provide documentation, or arrange a call with our security lead.
Last updated: March 2026