Security & deployment
Hosted in Canada. Designed to support a Protected B conversation.
GC Procurement Advisor is built for an audience that takes departmental Security Assessment and Authorization seriously. The deployment posture described below is intended to support that conversation, not to substitute for it.
Posture summary
The application is hosted on Google Cloud in Montréal, with operational data held in Canada. The deployment separates operational records from the policy data the application reasons over. The policy layer is identity-free by design.
Control selection has been informed by ITSG-33 and is designed to support Protected B Medium Medium alignment, subject to departmental Security Assessment and Authorization. The current posture supports discovery, demonstration, and unclassified advisory use.
Technical assurance material describing the full control set and the proposed SA&A path is available to qualified evaluators under appropriate non-disclosure arrangements.
Selected controls
The controls below are a representative subset of the operating posture. They are described at the level departments typically expect to see at the start of an SA&A conversation; deeper technical detail is provided to qualified evaluators under appropriate non-disclosure arrangements.
- Hosting and data residency
- Hosted on Google Cloud in Montréal. Operational data — sessions, audit logs, decisions, user records — is held in Canada. The instance and its backups are pinned to a Canadian region.
- Architectural separation
- Operational data lives in a Cloud SQL PostgreSQL instance, separated from the policy graph the application reasons over. The policy layer is identity-free by design: identical procurement contexts produce identical authoritative data, regardless of who is asking.
- Encryption in transit and at rest
- TLS 1.3 enforced on connections; AES-256 encryption at rest. Direct password connections to the operational database are rejected; access is mediated by an authenticated Cloud SQL proxy.
- Audit logging
- Database-level audit logging via pgAudit, complemented by an application-level audit trail that captures who did what and when. Audit rows are retained after user or session deletion for compliance purposes.
- Restricted network access
- No authorized public network paths to the operational database. Access is via authenticated proxy only. Connector enforcement is required at the database level.
- Automated backups and recovery
- Daily automated backups and point-in-time recovery within a seven-day window. Deletion protection is enabled on the live instance.
- Account lockout aligned with ITSG-33 AC-7
- Failed authentication attempts trigger account lockout aligned with ITSG-33 AC-7: a five-attempt threshold with a fifteen-minute cooldown.
- Circuit-breaker protection across data tiers
- Both the policy graph client and the operational database client are wrapped in a circuit breaker (three-failure threshold, sixty-second cooldown) so a degraded backing service cannot cascade into the application surface.
- Bilingual classification acknowledgement
- For pilots, the application surfaces a persistent bilingual classification banner and a first-login acknowledgement gate. The current posture is unclassified-only; the acknowledgement is recorded in the audit trail with the policy version active at the time.
Protected B pathway
The deployment is designed to support Protected B Medium Medium alignment. That alignment is not an authorization. A production deployment for Protected B information would be subject to a departmental Security Assessment and Authorization, conducted by the sponsoring department against its own control baseline and risk posture.
For evaluators, the platform can be exercised against unclassified scenarios today. Any handling of Protected B or higher information would be contingent on completion of the appropriate departmental SA&A.
Boundaries
The application is not a system of record for procurement files. It does not replace departmental security advisors, privacy advisors, or accessibility specialists. The current posture is unclassified-only; classification is enforced both by user-facing acknowledgement and by server-side gating tied to the active policy version.