Independently audited. Built for regulated industries.
Amanah’s infrastructure is SOC 2 Type II certified and compliant with Canadian federal and Ontario provincial privacy law. Our controls are independently tested, documented, and operating effectively not just implemented.

Location
151 Front St West
Data residency
Canadian data, always
Established
Since 2001
Certified
SOC 2 Type II
Control 2
SOC 2 Type II
Controls tested over time.
Not just implemented.
Amanah’s certification covers all five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. The audit assesses controls across our physical infrastructure, access management, network operations, and incident response procedures.
Role-based access control and least-privilege enforcement
Access to systems and data restricted to minimum necessary permissions.
Continuous network monitoring
Traffic, routing, and infrastructure monitored around the clock by in-house NOC.
Incident detection and response procedures
Documented procedures for identifying, escalating, and resolving security incidents.
Incident detection and response procedures
Documented procedures for identifying, escalating, and resolving security incidents.
Change management and configuration controls
All infrastructure changes reviewed and approved through formal change management.
Infrastructure redundancy and uptime safeguards
N+1 redundancy across power, cooling, and network. 99.99% uptime SLA.
Physical security at data center facilities
Multi-layer authenticated access, CCTV, 24/7 on-site staff, unique per-client rack codes.
Vendor and risk management processes
Third-party vendors assessed and managed through formal risk management procedures.
PIPEDA
Canada's federal privacy law for commercial activity.
The Personal Information Protection and Electronic Documents Act (PIPEDA) governs how private sector organizations in Canada collect, use, and disclose personal information in the course of commercial activities. All Amanah operations, infrastructure, and data handling practices comply with PIPEDA’s mandatory provisions.
Because Amanah operates entirely within Ontario, all data hosted at TOR1 and TOR2 remains in Canada, subject to Canadian law. Amanah can provide documentation to support clients’ own PIPEDA compliance reviews.
Consent for collection of personal information
Personal information collected only with knowledge and consent of the individual.
Limited collection for reasonable purposes
Personal information collected only for purposes that a reasonable person would consider appropriate.
Limited use and disclosure
Personal information used only for the purpose for which it was collected, not sold or shared without consent.
Safeguards for protection of personal information
Documented procedures for identifying, escalating, and resolving security incidents.
Change management and configuration controls
Appropriate security measures protect personal information against loss, theft, and unauthorized access.
Data stays in Canada
All infrastructure at 151 Front Street West, Toronto, Ontario. No cross-border data transfers.
Protection and Electronic
Documents Act
Information
Protection Act
PHIPA
Ontario's health data protection law.
The Personal Health Information Protection Act (PHIPA) is Ontario’s legislation governing the collection, use, and disclosure of personal health information (PHI). It applies to health information custodians hospitals, clinics, pharmacies, healthcare practitioners, and the IT infrastructure providers they rely on.
Amanah’s infrastructure is suitable for organizations subject to PHIPA. As an IT infrastructure provider, Amanah ensures that physical and logical safeguards are in place, breach notifications are issued promptly, and service descriptions are clear and transparent. The healthcare organization handling the data remains the custodian responsible for their own PHIPA compliance obligations.
Physical and logical safeguards for PHI
Multi-layer access controls, CCTV, and 24/7 monitoring protect all infrastructure housing health data.
Privacy breach notification
Amanah will notify clients of any privacy breach as soon as reasonably possible.
Plain language service description
Amanah provides clear descriptions of services, safeguards, and data handling practices on request.
Data remains in Ontario
All infrastructure at 151 Front Street West, Toronto. PHI never leaves the province.
Use limited to original collection purpose
Amanah does not access or use client data beyond what is necessary to deliver the contracted service.
Why It Matters
What certification means for your business.
Independent certification is not a formality. For organizations in regulated industries, it is a prerequisite for doing business and a signal of operational maturity.
Regulated industries
Healthcare, financial services, legal, and government organizations often require their infrastructure providers to hold SOC 2 certification or comply with specific privacy laws before engaging. Amanah meets these requirements.
Enterprise procurement
Large enterprises frequently include compliance requirements in vendor assessments and procurement processes. SOC 2 Type II and PIPEDA compliance reduces procurement friction and accelerates security reviews.
Canadian data residency
Many Canadian organizations are required or choose to keep data on Canadian soil subject to Canadian law. Amanah operates entirely in Ontario, which satisfies data residency requirements for PIPEDA, PHIPA, and most Canadian compliance frameworks.
Independently validated security
SOC 2 Type II means an independent auditor, not Amanah itself, has verified that our security controls work as described and have been operating effectively over time. This is the standard enterprises and regulated industries trust.
Healthcare infrastructure
PHIPA compliance makes Amanah suitable for hospitals, clinics, health tech companies, and any organization storing or processing personal health information in Ontario. The data stays in the province and the infrastructure meets required safeguards.
Documentation on request
Amanah can provide compliance documentation, service descriptions, and supporting materials for client security reviews, audits, and compliance assessments. Contact the team to request materials for your specific requirements.