• security-header


Borealis offers hosted services used by many large organisations. We adhere to the highest industry standards for enterprise security to maintain the confidentiality, integrity, and availability of our customers’ information. Our risk assessment practices align with the standards processes of software and IT industries. Our solution is collocated in dedicated spaces at a top-tier data center that maintains industry-standard certifications. This ensures our application meets rigorous security requirements. Third-party security audits of our product and infrastructure are done on a regular basis.

ISO 27001:2017 Certified

What is ISO 27001 Certification?
ISO 27001 is an internationally recognized standard that helps organizations manage information security to make their information assets more secure.

To become certified, an organization must develop and implement a strict security program, regularly evaluate information security risks, threats, and vulnerabilities, and establish that its security programs align with industry-leading best practices.

After a successful audit is performed by an independent third party, the organization can be certified by an accredited registrar.

Security has always been and always will be at the core of our product. The fact that more and more Fortune 500 companies are choosing our solution is proof of our product’s quality and security.

Patrick Grégoire, President, Borealis


Data Center Security

Borealis production servers are hosted in Canada at a Tier 3 certified design data center (Uptime Institute rating). The facility is ISO 27001: 2005, SOC 1 type II (SSAE 16 and ISAE 3402) and SOC 2 type II compliant. The data center is equipped with robust physical security including biometrics and smartcard access and logical security including firewall, intrusion detection, video surveillance and prevention, and denial of service attack protection. Power, cooling and networks all are fully redundant and built to a minimum of N+1 redundancy.

Product Security Features

Only application administrators are allowed to create users and assign data security rules. The access control is based on a roles hierarchy. Data can be segregated by group of users. All access is governed by strict password security policies with configurable complexity. All activities performed within the application are logged with Audit Trail.

Application-Level Security

The Borealis application provides a range of application-level security mechanisms that allow to fine-tune the implementation to meet specific requirements. Software architectural patterns are strategically selected around data confidentiality, integrity and availability. These patterns include row level security data segregation, roles-based access control list, audit trail and log management.


Complete virtual server backups are made on a daily basis. Backups are retained with the following policy: retain the 5 most recent backups as well as the most recent backup from each of the last 7 days, 4 weeks, 12 months, and 1 year.


Borealis has implemented features to comply with Web Content Accessibility Guidelines (WCAG), Level AA including: keyboard shortcuts, a high contrast theme, dark mode, and compatibility with screen readers.

Network Security

The Borealis network is protected by enterprise grade firewall and Intrusion Prevention and Detection System (IPS/IDS) to monitor network traffic in order to block a wide range of known vulnerability exploits. The network is protected against DoS/DDoS attack.

Monitoring and Vulnerability Management

Borealis uses third-party security specialists and enterprise-class security solutions (like Qualys) to find & help us fix vulnerabilities in the IT infrastructure and the web application. Reports of latest third party intrusion tests as well Qualys reports are available upon request. Borealis uses vulnerability management systems to continuously secure the IT infrastructure against the latest Internet threats. A web application scanning system automatically identifies OWASP top 10 risks including SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and URL redirection.

All web applications, network and hardware are constantly monitored by both Borealis and the managed Infrastructure-as-a-Service (IaaS) providers.


SysAdmin Access and Global Support

The Borealis operations and support team monitors our infrastructure 24/7 from Canada. Our access control policy aligns with IT industry standards. Access control is enforced with policies to control user registration, grant the correct level of access privilege, control password use, password change and password removal, review of access rights, and control network service access.

Our support team maintains an account on all hosted applications for the purposes of maintenance and support. Applications and data are accessed only for purposes of application health monitoring and performing system or application maintenance, and upon customer request via our support system. Only security qualified and authorized Boréalis employees have access to system using 2-factor authentication. Customers are responsible for maintaining the security of their own login information.


Storage Security

All data stored on Borealis’ servers are encrypted at rest by a high quality SSL protocol using AES-XTS, a cryptographic protocol that is designed to ensure the security of data storage at rest. The encryption keys are stored securely.

Transmission and Session Security

Multiple Internet backbone connections provide routing redundancy and high-performance connectivity. All communications with Borealis servers are encrypted using high-grade SSL with 256-bit AES, a cryptographic protocol which is designed to provide communication security over the Internet. Encryption keys are securely stored. Individual user sessions are identified and re-verified with each transaction, using a unique token created at login.

Disaster Recovery

Borealis uses multiple data centers to host its application and data, providing essential redundancy. All data centers employ physical security, strict access policies and secure vaults and cages. Near real-time data replication between the production data center and the disaster recovery center of the Borealis solutions is performed. Hot-site disaster recovery tests are performed daily and complete disaster recovery diagnostic is done quarterly to verify our projected recovery times and the integrity of the customer data.

Q&A How Borealis
Manages data security


The Borealis application enables users to authenticate through single sign-on (SSO) using SAML 2.0. Our solution supports integration with all identity federation providers such as Okta and Microsoft ADFS.
We enforce the use of strong passwords for all users through our password policy. Strong passwords must consist of at least fifthteen characters, a combination of upper and lowercase letters, and include numbers.
All privileged accounts to the organization’s production platform are enforced with Multi-Factor Authentication and a password of minimum 14 characters.

Customer data

Borealis confirms that data from production is never copied or utilized in non-production environments. Additionally, customer data is never employed outside of the production network.

Client data

Our production and development environments are fully isolated, ensuring that access to production data is only granted to authorized personnel.
We use a SIEM tool called Graylog that only a few authorized users can access through a two-factor VPN connection. Graylog records all actions taken by users and our web application. This access is read-only to prevent tampering with the logs.

Multi-Factor Authentication

The Borealis application supports 2FA and can be configured by users directly in the Borealis web interface.

Cloud computing

Our servers are in Amazon Web Services datacenters in Canada (Montreal), Europe (France) and Australia (Sydney).

Data backup and restoration

Our backup policy entails keeping the five most recent backups in addition to retaining the most recent backup from the last seven days, four weeks, twelve months, and one year. We also conduct restoration tests at least twice a year.

We have two different methods for recovering data in the event of an outage:

  1. Recovering from a hot standby server, which has a Recovery Point Objective (RPO) of less than one minute, and a Recovery Time Objective (RTO) of less than one hour.
  2. Recovering from a backup, which has an RPO of less than 24 hours, and an RTO of less than one hour.

These procedures ensure that our systems are up and running as quickly as possible in the event of an unexpected interruption.


Borealis must maintain a 99.5% Online Service availability rate, calculated monthly using (Total – Downtime) / Total * 100 ≥ Availability Target. “Total” refers to calendar month minutes minus excluded downtime, while “Downtime” refers to non-excluded duration, including planned and uncontrollable events.

You can access more details regarding the service availability in our MSA’s “Availability” section: https://www.boreal-is.com/data/cdn/media/Borealis-Master-Subscription-Agreement.pdf

Vulnerability Management

Every year, we conduct a penetration test through an external firm.

Additionally, we conduct an automated vulnerability scan and a Web Application Scan every week using the Qualys platform.

We utilize Eslint to check the code and also perform a vulnerability check of our external libraries with yarn audit. Additionally, each line of code modified in our repositories undergoes verification by a second senior developer.
Critical updates are installed as soon as possible, usually on the same day they become available. To identify when patches are required, we use our Microsoft Defender Vulnerability Management dashboard in conjunction with CheckMK (which is based on Nagios).
Our organization has installed Microsoft Defender antivirus, which includes the Microsoft Intune endpoint protection feature, on all servers and workstations. In the event of any suspicious activity, our sysadmin team receives an alert.

Information Access

Access to information assets in our organization is reviewed annually and when changes in employee status occur, such as joining, relocating, or leaving. Physical and logical access is granted only to authorized personnel, and access is promptly removed upon an employee’s departure.
Access to both our production systems and internal systems is protected by two-factor authentication via the VPN.

Server Monitoring and Management

We utilize CheckMk (Nagios) and Amazon CloudWatch to monitor the performance of all our servers in real-time, with over a hundred checks performed per server on CheckMk.

Information Security Governance and Compliance

We utilize OneTrust to maintain compliance by updating and obtaining approval for our information security policies. These updates are carried out at a minimum of once a year as required by TugBoat Logic.
All of our employees sign confidentiality agreements, which are legally binding contracts that prevent them from disclosing any sensitive information about the company or its clients.

Information Security Training

Borealis mandates regular security training for all its employees, consultants, and contractors through the Terranova platform. Users must take interactive courses every 4 months to improve their understanding of security responsibilities. Moreover, we conduct 1-2 phishing simulation campaigns per year.

Employee Screening and Background Checks

When hiring new employees, our human resources team conducts a background check. Additionally, they also conduct another check every three years for all existing employees.


To date, Borealis has not encountered any security breaches or incidents of stolen or compromised credentials associated with our platform. The safety and security of our customers’ data remains a top priority for us.


Data in transit is secured through the utilization of encryption with TLS 1.2 or higher.