Compliance & Data Protection
Security & Compliance
Civic Procurement is built with Canadian municipal security and compliance requirements at its foundation — not as afterthoughts. From sealed bid encryption and MFIPPA privacy to BPS Directive compliance and complete procurement audit trail, every security decision reflects the realities of municipal procurement operations.
Canadian Municipal Compliance
Municipal & Provincial Regulations
Purpose-built for Canadian municipalities, with full alignment to federal, provincial, and municipal legislation governing public-sector data management.
Ontario — Broader Public Sector
Full alignment with the Broader Public Sector Procurement Directive: competitive procurement requirements, mandatory electronic posting thresholds, fair evaluation processes, prohibition of unfair practices, and reporting requirements. BPS portal cross-posting automated for qualifying procurements.
Federal — Canada
Automated threshold determination per CFTA procurement obligations. Solicitations above threshold posted with required non-discrimination, transparency, and fairness provisions. Vendor standing and bid deposit requirements compliant. Procurement process documentation meets CFTA review requirements.
Federal — Canada / EU
CETA procurement chapter compliance for municipal procurements above applicable thresholds. Non-discriminatory tender procedures, technical specification requirements, and time limits for receipt of tenders implemented. Electronic bid submission meets CETA electronic procurement standards.
Ontario
Municipal Freedom of Information and Protection of Privacy Act compliance built into every workflow. Vendor personal information protection, bid confidentiality, sealed submission access controls, FOI request handling procedures, and records retention enforcement per municipal schedule.
Ontario
Accessibility for Ontarians with Disabilities Act compliance across all interfaces — internal procurement platform and public-facing vendor portal. WCAG 2.1 AA: keyboard navigation, screen reader support (JAWS, NVDA, VoiceOver), 4.5:1 contrast ratios, semantic HTML, and accessible document formats.
Ontario
Construction procurement compliance: holdback management (10% basic holdback, finishing holdback), prompt payment provisions, lien period tracking, substantial performance calculations, and contractor payment certification workflows — per Ontario Construction Act requirements.
Ontario
Aligned with Municipal Act provisions for procurement bylaws, spending authority, council oversight of contract awards above threshold, and municipal record-keeping requirements. System enforces procurement bylaw thresholds and council reporting obligations configured per municipality.
“Compliance is not a feature we bolted on after launch — it is the architectural foundation every line of code is written against. Canadian municipalities deserve a platform that treats their legislative obligations as first-class requirements.”
Civic Engineering
· Platform Architecture TeamRegulatory Compliance
Industry Frameworks
Beyond municipal legislation, satisfies internationally recognized compliance frameworks.
Annual third-party audit against AICPA Trust Services Criteria covering security, availability, processing integrity, confidentiality, and privacy. Particularly critical for procurement systems handling sealed bids, vendor financial information, and evaluation details.
- Logical access controls with RBAC and sealed bid encryption
- Change management with procurement configuration audit trail
- Incident response procedures for procurement data breaches
- Vendor portal security monitoring and threat detection
- Backup and recovery with RPO <1 hour, RTO <4 hours
Information security management system aligned to ISO 27001:2022 covering risk management, asset management, access control, cryptography, and supplier relationships — addressing the specific risks of procurement data, bid confidentiality, and vendor relationship information.
- Risk-based security controls for procurement lifecycle data
- Cryptographic protection for sealed bids (AES-256)
- Access control for evaluation committee and bid content
- Supplier relationship security for vendor portal
- Business continuity for critical procurement deadlines
Security posture aligned with NIST CSF functions: Identify, Protect, Detect, Respond, Recover. Procurement-specific threat modelling addresses risks including bid tampering, vendor impersonation, unauthorized access to evaluation scores, and supply chain attacks.
- Asset management for procurement data classification
- Identity management with MFA for all internal users
- Continuous monitoring of sealed bid integrity
- Anomaly detection for procurement workflow deviations
- Recovery planning for procurement system availability
Implementation of CIS Critical Security Controls for enterprise-grade protection of the procurement platform. Focus areas: inventory management, secure configuration, access control, audit logging, malware defence, and data protection for procurement records.
- Enterprise asset and software inventory
- Secure configuration of procurement platform
- Account management with role-based access control
- Audit log management with 7-year procurement retention
- Data protection for vendor PII and bid content
Data Sovereignty
100% Canadian Data Residency — Contractually Guaranteed
Every byte of procurement data — sealed bids, evaluation scores, vendor records, contract documents, spend analytics, and audit trail — is stored and processed exclusively in Canadian data centres. This is not an option or add-on — it is the default configuration, contractually guaranteed, with no cross-border data transfers under any circumstance.
Hosting
Canadian Only
Centres
3 Redundant
Encryption
AES-256
Sovereignty
PIPEDA / MFIPPA
Platform Security
Security Capabilities
Click any capability to explore the technical details behind each security layer.
Auditability
Audit Trail Features
Every action is logged, timestamped, and immutable — providing the complete audit trail required by provincial legislation and municipal accountability standards.
Every requisition action logged: creation, modification, approval/rejection, PO conversion — with user, timestamp, and decision rationale
Sealed bid submission timestamps cryptographically verifiable — proving exact time of vendor submission and system receipt
Evaluation committee activity monitoring: COI declaration filing, score entry, score modification, consensus session participation — all timestamped
Award recommendation and approval chain fully documented: recommender, each approver in chain, decision, justification, and dissenting notes
Vendor portal activity log: registration, profile updates, bid submissions, document uploads, communication — supporting MFIPPA access requests
Contract lifecycle events: execution, amendments, milestone completions, payment authorizations, renewal decisions, and close-out — linked to source documents
Configuration change audit: threshold modifications, approval chain changes, role assignments, policy updates — who changed what, when, and previous value
7-year minimum retention with legal hold capability, tamper-proof storage, and archival export in PDF/A format for long-term preservation