Your Data Deserves
Institutional-Grade Protection
Event staffing data is sensitive — personal information, compensation details, client budgets. We treat every record with the rigour it demands.
Secure by Architecture
Encryption at Rest & in Transit
All data stored in Popsicle is encrypted at rest using AES-256 encryption — the same standard used by financial institutions and government agencies. Every connection to our platform is protected with TLS 1.3, ensuring that data in transit between your browser, our servers, and our SMS provider cannot be intercepted or tampered with. There is no unencrypted path to your data.
Canadian Hosting
All Popsicle data is hosted on Canadian servers within SOC 2 Type II certified data centres. Your data never leaves Canadian jurisdiction, which means it's protected under Canadian privacy law — including PIPEDA — and is not subject to foreign surveillance frameworks like the US CLOUD Act. For agencies managing Canadian talent and client budgets, data residency matters.
Authentication & Access Control
Every Popsicle account is protected by bcrypt-hashed passwords with mandatory complexity requirements. Role-based access control ensures that team members only see the data their role requires — field staff never see billing details, and finance users don't need operational dashboards. Session management includes automatic timeout and secure cookie handling to prevent session hijacking.
Continuous Monitoring
Our infrastructure is monitored 24/7 for anomalies, intrusion attempts, and performance degradation. Automated alerts flag unusual access patterns — like login attempts from new geographies or bulk data exports — and our incident response protocol ensures that any potential breach is investigated and contained within hours, not days. We maintain detailed logs for forensic analysis and compliance reporting.
Your Data. Your Control.
Data Minimization
We only collect what the platform needs to function. We don't sell data, we don't share data between tenants, and we don't use your operational data to train models or build marketing profiles. When you delete a record, it's deleted — not archived, not anonymized, deleted.
Complete Audit Trail
Every action in Popsicle is logged — who made a change, when they made it, and what the previous value was. This isn't just a security feature; it's an operational one. When a client questions a number on an invoice, you can trace it back to the exact check-in event. Full traceability, zero guesswork.
Data Portability
Your data is yours. You can export everything — staff records, event histories, reconciliation reports — at any time in standard formats. If you ever decide to leave Popsicle, you take your data with you. No lock-in, no extraction fees, no 30-day export windows. We believe earning your business means you stay by choice.
Built to Standard
PIPEDA Compliant
Popsicle is designed to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private-sector privacy law. This means we follow the ten fair information principles: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance. Our privacy practices are reviewed annually against PIPEDA requirements.
OWASP Top 10 Protected
Our application is developed and tested against the OWASP Top 10 — the most critical web application security risks as defined by the Open Web Application Security Project. This includes protections against SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), broken authentication, sensitive data exposure, and the remaining categories. We conduct regular vulnerability assessments and code reviews to ensure compliance with these standards.
Tenant Isolation
Popsicle's multi-tenant architecture ensures complete data isolation between accounts. Your staff records, event data, and financial information are never accessible to another tenant — not through the application, not through the database, not through the API. Tenant context is enforced at the middleware layer before any query reaches the database, making cross-tenant data access architecturally impossible.
Security You Can Verify
Have specific security questions? We're happy to provide documentation, answer questionnaires, or walk through our architecture with your team.
Talk to Our Team