Security

Security at Béluga.
Designed in, not bolted on.

Our security posture is shaped by the Loi 25, by the fact that we own and operate our hardware in Québec, and by the open-source foundations of every component we ship.

Encryption

  • At rest — All object storage (MinIO) and database volumes are AES-256 encrypted on Béluga-owned hardware in Québec.
  • In transit — TLS 1.2+ everywhere (web, IMAP, SMTP, CalDAV, CardDAV, Matrix, WebRTC).
  • Encryption keys — Hardware Security Modules (HSM) located and operated in Québec by Technologies Shelter-Bay inc. No key material is shared outside the province.

Identity and access

  • SSO via Keycloak 26 (OIDC, SAML, fine-grained roles).
  • Multi-factor authentication available for every account; mandatory for administrative roles on Affaires/Municipalité plans.
  • Application-specific passwords for third-party clients, never exposing the main password.
  • hCaptcha protection on signup and invitation flows.

Infrastructure

  • Bare-metal servers (sbcloud-yul-01) owned by Technologies Shelter-Bay inc., colocated in a Tier III Québec data center.
  • Self-hosted K3s orchestration; immutable container images built via GitLab CI + Kaniko.
  • No reliance on AWS Canada, GCP Canada or Azure Canada — those regions remain subject to the U.S. Cloud Act.
  • Daily encrypted backups to a second Québec site; offline cold copies retained per policy.

Monitoring and incident response

  • Application errors monitored via GlitchTip (open-source Sentry alternative), self-hosted.
  • Metrics, logs and traces aggregated via Prometheus / Grafana / Loki.
  • Incident response plan aligned with Loi 25 notification requirements (72-hour ceiling).
  • Annual independent security audit planned T+12 months after public launch.

Compliance

  • Conforming to Loi 25 by default — no transfer of personal information outside Québec for standard usage.
  • Out of reach of the U.S. Cloud Act and FISA 702 — no U.S. parent company, no U.S. subsidiary.
  • Data Processing Agreement (DPA) available in French, governed by the Civil Code of Québec.
  • SOC 2 Type II program scheduled, ISO 27001 in preparation (Q2 2026).

Reporting a vulnerability

Please email security@beluga.quebec. We acknowledge reports within 48 hours and provide a remediation timeline within five business days. We publish an annual transparency report on government data requests.