Security & Data Handling

Last Updated: May 2026

1. Our Commitment

Security is foundational to everything we build. GuildBuild operates a security-first culture where protecting client data is not a checkbox — it is how we work every day.

We follow a shared responsibility model with Microsoft Azure: Azure secures the cloud infrastructure (physical security, networking, hardware), and GuildBuild secures the applications, configurations, access controls, and data handling practices we build on top of it.

2. Cloud Infrastructure

All client data and project work is hosted on Microsoft Azure, using the Canada Central (Toronto) data centre region.

Azure's Canadian data centres are built and operated with:

  • 24/7 physical security with biometric access controls
  • Redundant power, cooling, and network connectivity
  • Environmental monitoring and fire suppression systems
  • Video surveillance and security personnel

Microsoft Azure is one of the most certified cloud platforms in the world, with over 100 compliance certifications — including those directly relevant to Canadian businesses.

3. Compliance Framework

GuildBuild's security practices align with the following frameworks and certifications through our use of Microsoft Azure and our internal policies:

FrameworkWhat It Covers
PIPEDACanada's federal privacy law — all 10 fair information principles (accountability, purpose, consent, limiting collection, limiting use, accuracy, safeguards, openness, access, compliance)
CASLCanada's Anti-Spam Legislation — express consent, sender identification, unsubscribe mechanisms
SOC 2 Type IISecurity, availability, processing integrity, confidentiality, and privacy controls (Azure)
ISO/IEC 27001:2022Information security management system (Azure)
CSA STARCloud Security Alliance cloud-specific security controls (Azure)
Microsoft Responsible AIFairness, reliability, safety, privacy, inclusiveness, transparency, accountability

4. Data Residency & Sovereignty

All client data remains within Canadian borders. This is not optional — it is our default.

  • Primary data centre: Azure Canada Central (Toronto, Ontario)
  • Disaster recovery: Azure Canada East (Quebec City, Quebec) — still within Canada
  • No data is transferred outside Canada without the Client's explicit written consent
  • Azure's contractual commitments guarantee data residency within the selected region

This means GuildBuild meets the data residency requirements of Canadian federal and provincial regulations, including for industries with heightened sensitivity such as financial services, healthcare, and government.

5. Encryption

5.1 Data at Rest

  • All stored data is encrypted using AES-256 via Azure Storage Service Encryption
  • Database encryption using Transparent Data Encryption (TDE)
  • Encryption is enabled by default — it cannot be turned off

5.2 Data in Transit

  • All data in transit is encrypted using TLS 1.2 or higher
  • HTTPS enforced on all web endpoints — no unencrypted connections accepted
  • Internal service-to-service communication uses mutual TLS where supported

5.3 Key Management

  • Encryption keys managed via Azure Key Vault
  • FIPS 140-2 Level 2 validated hardware security modules (HSMs)
  • Key rotation policies enforced

6. Access Control

  • Role-Based Access Control (RBAC) — team members only access what they need for their role
  • Azure Entra ID (formerly Azure Active Directory) for identity management
  • Multi-Factor Authentication (MFA) enforced for all team members — no exceptions
  • Principle of least privilege — permissions start at zero and are granted as needed
  • Quarterly access reviews — we review who has access to what every 90 days
  • Privileged Access Workstations for administrative operations

7. Network Security

  • Azure Virtual Network (VNet) isolation for client workloads
  • Network Security Groups (NSGs) controlling inbound and outbound traffic
  • Private endpoints for data services — no public internet exposure for databases or storage
  • Azure DDoS Protection for public-facing services
  • Web Application Firewall (WAF) rules for application-layer protection
  • No client data traverses the public internet between internal services

8. Incident Response

GuildBuild maintains a documented incident response plan with four phases:

  1. Detect — continuous monitoring with Azure Security Center, log analytics, and anomaly alerts
  2. Contain — isolate affected systems to prevent spread, preserve evidence
  3. Eradicate — identify root cause, remove the threat, patch vulnerabilities
  4. Recover — restore services from clean backups, verify integrity, resume operations

Client Notification

In the event of a security incident affecting client data, GuildBuild will notify the Client within 72 hours of becoming aware of the breach, as required by PIPEDA. Notification includes: what happened, what data was affected, what we are doing about it, and what the Client should do.

Post-Incident Review

Every security incident is followed by a blameless post-mortem. Findings are documented, corrective actions are tracked to completion, and lessons learned are applied across the organization.

9. Business Continuity

  • Geo-redundant backups — data is backed up across Azure Canada Central and Canada East
  • Recovery Point Objective (RPO) — target of 1 hour for critical systems (meaning at most 1 hour of data could be lost)
  • Recovery Time Objective (RTO) — target of 4 hours for critical systems (meaning services restored within 4 hours)
  • Annual disaster recovery testing — we test our recovery procedures at least once per year
  • Documented recovery procedures — step-by-step runbooks for every critical system

10. Vendor & Subprocessor Management

GuildBuild uses a limited number of third-party services. Each is evaluated for security before use:

VendorPurposeData Exposure
Microsoft AzurePrimary cloud platform (compute, storage, databases, AI)Client data — encrypted, Canada-only
VercelWebsite hosting and deploymentWebsite analytics (aggregate, no PII)
Z.AI / ZhipuAI chat on website (Build Architect wizard)Website visitor questions only — no client project data
Anthropic (Claude Code)AI-assisted development and code generationCode and technical context only — no client business data
OpenAI (ChatGPT Codex)AI-assisted development and code generationCode and technical context only — no client business data

No client engagement data (project files, databases, dashboards, pricing data) is shared with Z.AI/Zhipu, Vercel, Anthropic, or OpenAI. AI development tools are used for code generation and technical problem-solving only — client business data is never submitted to these services.

11. Employee Security

  • Background checks completed for all team members before they access client systems
  • Security awareness training completed annually — covering phishing, social engineering, data handling, and incident reporting
  • Access deprovisioning within 24 hours of departure — accounts disabled, access revoked, devices secured
  • Confidentiality agreements signed by all team members
  • Clean desk and clear screen policies when working with client data

12. AI & Data Science Governance

GuildBuild builds AI agents, automation workflows, and data science models for clients. Our approach to responsible AI:

  • Model validation — every model is tested against representative data before deployment
  • Bias monitoring — we review model outputs for unintended bias, especially in decision-support systems
  • Human oversight — high-impact decisions always include human review (no fully autonomous decisions on sensitive matters)
  • Transparency — clients understand what the model does, what data it uses, and how it reaches conclusions
  • Data boundaries — AI models only access the data they need, governed by the same RBAC and encryption as all other systems

These practices align with Microsoft's Responsible AI principles: fairness, reliability and safety, privacy and security, inclusiveness, transparency, and accountability.

13. Contact

For security-related inquiries, concerns, or to report a vulnerability:

GuildBuild Inc.

Security Team

Email: contact@guildbuild.ca

Responsible Disclosure

If you discover a security vulnerability in our systems, please report it to us directly at contact@guildbuild.ca with the subject line "Security Vulnerability Report." We will acknowledge receipt within 2 business days and work with you to understand and address the issue. We do not pursue legal action against security researchers who report vulnerabilities responsibly.