Immicase logoIMMICASE
Security

Security at Immicase

Immigration case data is among the most sensitive information a professional can handle. Immicase is built with security at every layer so you can focus on your clients, not your infrastructure.

How We Protect Your Data

Six pillars of security that safeguard every piece of information in your Immicase account.

Encryption at Rest & in Transit

All data stored within Immicase is encrypted using AES-256 encryption at rest. Every connection between your browser and our servers is protected by TLS 1.3 encryption in transit. Database backups are also encrypted, ensuring your client information is never exposed -- whether it is being stored, transferred, or archived.

Role-Based Access Control

Not every team member needs access to every file. Immicase provides granular, role-based permissions so that consultants, paralegals, administrative staff, and clients each see only what they are authorized to see. Custom roles can be created with field-level control, and access can be restricted by IP address.

Comprehensive Audit Logging

Every action within Immicase -- file views, edits, downloads, deletions, login attempts, and permission changes -- is recorded in an immutable audit log with a timestamp and user identity. These logs support CICC compliance obligations and give firm administrators full visibility into who did what and when.

Infrastructure Security

Immicase is hosted exclusively in Canadian data centers aligned with SOC 2 Type II standards. Our infrastructure uses network-level firewalls, intrusion detection systems, and automated threat monitoring. All production systems run in isolated virtual private clouds with no public internet exposure beyond our application endpoints.

Regular Security Audits

We conduct regular vulnerability assessments and penetration testing to proactively identify and remediate potential threats. Our development team follows secure coding practices, and all code changes undergo security-focused review before deployment. Dependencies are continuously monitored for known vulnerabilities.

PIPEDA Alignment

Immicase is designed from the ground up to meet the requirements of Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). We implement all ten fair information principles including consent, limiting collection, limiting use, accuracy, safeguards, and individual access. Your clients' personal information is handled with the care Canadian law demands.

New

Client-Side Encryption for Sensitive Data

Immicase uses AES-256-GCM encryption — the same standard used by banks and governments — to protect your clients' most sensitive identity documents.

How It Works

  • Passport numbers and UCI (Unique Client Identifier) are encrypted before they ever leave your browser
  • Your firm gets a unique encryption key, shared securely across all team members
  • The database only ever stores encrypted data — passport numbers and UCIs are unreadable ciphertext at rest
  • Decryption happens in your browser when you need to view the data
  • New team members and password resets are handled automatically — the same firm key is securely provisioned without sharing passwords

What This Means for Your Firm

  • Database breach protectionIf the database is ever compromised, passport numbers and UCIs are unreadable ciphertext
  • No extra stepsEncryption and decryption happen automatically as you work
  • Per-firm isolationEach firm has its own encryption key; firms can never access each other’s data
  • Team-friendlyAll team members share one firm key, so everyone can access the same client data
  • Password reset safeChanging or resetting your password doesn’t lose access to encrypted data
  • Built on Web standardsUses the Web Crypto API (PBKDF2 key derivation, AES-256-GCM authenticated encryption), no third-party dependencies

Technical Highlights

AES-256-GCM authenticated encryption (256-bit keys, random IV per field)
PBKDF2-SHA256 key derivation with 600,000 iterations
Per-firm encryption key, wrapped individually per user with their password
Server-side key escrow (AES-256-GCM) for secure team provisioning and password recovery
Tamper detection via GCM authentication tags

Additional Security Measures

Beyond our core security pillars, Immicase implements a comprehensive set of controls to ensure your data remains safe.

  • Two-factor authentication (2FA) available for all user accounts
  • Automatic session timeouts after periods of inactivity
  • Secure password hashing using bcrypt with adaptive work factors
  • Rate limiting and brute-force protection on all authentication endpoints
  • Encrypted database backups with point-in-time recovery
  • DDoS protection at the network and application layers
  • Strict Content Security Policy (CSP) headers on all pages
  • Regular employee security awareness training
Data Retention

Data Retention Policy

Immicase retains client data for a minimum of 7 years in accordance with Canadian regulatory requirements and immigration industry best practices. This retention period ensures that firms can meet their compliance obligations, respond to audits, and support clients with historical case references.

After the retention period, firms can choose to securely archive or permanently delete data in alignment with PIPEDA guidelines.

Daily Data Backup to Your Own Cloud

Immicase supports daily automated backups directly to your firm's own cloud storage provider. Whether you use AWS, Google Cloud, or Azure, you can configure scheduled exports so that a complete copy of your data is always within your control. This gives firms an additional layer of data sovereignty and disaster recovery beyond our built-in encrypted backups.

Client Rights

Data Access & Client Rights

Under PIPEDA, individuals have the right to know what personal information an organization holds about them and how it is being used.

Individual Access Rights

Individuals have the right to request access to their personal information and request corrections where necessary. Immicase provides tools for firms to export and manage client records, making it straightforward to respond to access requests and fulfill your obligations under Canadian privacy law.

Privacy Officer

Privacy Contact

For privacy inquiries or requests related to personal information, please contact our Privacy Officer at:

info@immicase.ca

This is a PIPEDA requirement. We respond to all privacy inquiries promptly.

Our Commitment

Security Is Not a Feature -- It Is Our Foundation

We understand that your clients entrust you with their personal details, travel histories, financial records, and family information. That responsibility extends to us. We treat every piece of data as if it were our own. If you have questions about our security practices or need documentation for a compliance review, contact us at info@immicase.ca.

Ready to secure your immigration practice?

See how Immicase keeps your client data safe while streamlining your entire workflow.

Book a DemoView Features