Openfund handles sensitive financial data on behalf of borrowers, brokers, lenders, and the regulators that oversee them. Compliance, security, and privacy aren't features layered on top of the platform — they're the architectural principles it's built on.
Every line of code, every database row, and every access request is governed by the same three commitments: stay inside Canada's regulatory framework, defend data in depth, and treat consent and sovereignty as non-negotiable defaults. Here's how that works in practice.
Trust on Openfund isn't a separate workstream or a quarterly review. It's encoded in how data moves, how access is granted, and how the platform is operated, every single day.
Every workflow is shaped by the Canadian regulatory framework — FINTRAC, FSRA, MBLAA, and provincial mortgage regulators — instead of routed around it.
Defense in depth. Encryption in transit and at rest, role-based access, a secure SDLC, and continuous third-party review — applied at every layer of the platform.
PIPEDA-aligned by design. Data stays inside Canada, consent is explicit, and you keep the right to access, correct, and remove your information at any time.
Openfund is a Canadian company operating inside Canada's mortgage regulatory landscape. Workflows, audit trails, and disclosures are designed so professionals on the platform meet their obligations with greater confidence — and a much shorter compliance file.
The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) places real obligations on every mortgage professional. Openfund encodes Know-Your-Client and source-of-funds verification into the application workflow, with secure audit trails preserved for the full retention period — not bolted on as a separate compliance project.
Provincial regulators like the Financial Services Regulatory Authority of Ontario require brokers to document why a recommended product is suitable. The Openfund Report does that automatically — it captures every lender that was considered, every offer received, and the reasoning behind the recommendation, so principal-broker review and FSRA verification are a matter of pulling a file, not reconstructing one.
Platform workflows, disclosures, and consent flows are reviewed by Canadian legal counsel specializing in financial services and mortgage law. We treat regulatory expectation as a first-class design constraint and update the platform when the rules update — not the other way around.
Security on Openfund isn't a single firewall or a single audit — it's a stack of controls that protect the platform, the applications, and the data, with no single point of failure between you and the people you trust with your information.
Every byte that crosses the network is wrapped in modern TLS 1.3 with strict cipher suites and HSTS. Every byte at rest — application data, documents, audit logs, backups — is encrypted with AES-256 envelope encryption using AWS KMS, with key rotation enforced and access keys never exposed to application code.
Openfund runs on Amazon Web Services in Canada (ca-central-1) — a Tier 1 cloud platform with physical security, network isolation, and continuous compliance attestations. We layer on private VPCs, security groups, AWS WAF in front of every public surface, and signed Lambda artifacts to ensure that what runs in production is what we built.
Security is enforced before code reaches production: dependency scanning on every pull request, secret scanning on every commit, automated SAST, and signed-off code review. Independent third-party penetration tests run on a recurring schedule, and findings drive sprint priorities — not quarterly reports nobody reads.
Access on Openfund is governed by Cedar policies and AWS Verified Permissions — a centralized, auditable authorization service used by every API call. Brokers see their files, principal brokers see their brokerage's files, lenders see what they're invited to, and administrators see what they administer. Nothing more, nothing implicit.
Mortgage data is some of the most sensitive personal information a Canadian household generates — income, assets, identification, and credit. We make a categorical commitment about where that data lives: inside Canada, on Canadian-region infrastructure, governed by Canadian privacy law. No exceptions, no caveats, no quiet transfers to processing centers in other jurisdictions.
Privacy on Openfund isn't a long, unread legal document — it's a working set of rights you can exercise from your account, governed by Canadian privacy law and a named privacy officer.
Request a copy of the personal information Openfund holds about you, what we use it for, and who it has been disclosed to. We respond within 30 days.
Correct any information that's inaccurate or out of date. The platform exposes most fields directly so you can fix them yourself, with an audit log of every change.
Withdraw consent and request deletion of your data, subject to retention obligations under FINTRAC, FSRA, and Canadian tax law. We document what's deleted and what's preserved, with reasons.
Export your information in a machine-readable format and take it elsewhere. The platform was built on open standards so leaving is no harder than joining.
Explicit, granular, and revocable. We explain why each piece of information is collected and what it will be used for — in plain language.
Privacy is owned at the executive level. A named privacy officer is accountable for compliance with PIPEDA and provincial privacy law.
We collect what's needed to underwrite, originate, fund, and service mortgage transactions — and nothing else. We don't sell your data, ever.
Trust is a continuous practice, not a one-time certificate. This is the current state of our compliance program, security posture, and operational controls — updated as evidence changes, not as marketing cycles dictate.
Everything we publish about how Openfund treats data. Most documents are public; the rest are available on request to qualified parties.
How we collect, use, retain, disclose, and protect personal information. Written in plain language.
Platform terms of use for brokers, lenders, administrators, and borrowers — including service-level commitments.
Complete description of our security architecture — encryption, access control, SDLC, incident response, and key rotation.
Every third-party service that may process Openfund data, the data category, and the region they operate in.
Conduct standards for every counterparty on the platform — what's expected, what's prohibited, and how violations are handled.
PIPEDA-aligned data processing terms for enterprise customers and lender partners. Available on request.
The most frequent questions our security, legal, and risk teams receive — answered without the marketing fog.
Don't see your question?
Email our trust teamWhen the rules of mortgage lending tighten — when a regulator asks a question, when a broker needs to defend a recommendation, when a borrower wants to understand who has their data — Openfund is built so the answer is already on file.
Canadian data residency · PIPEDA-aligned · FSRA · MBLAA
