Sanrin Labs Trust Center
Security, privacy, AI governance, and procurement information for institutional buyers, public-sector teams, and qualified vendor-review processes.
Last updated: June 22, 2026
Overview
Sanrin Labs is a Quebec-based software and AI services company serving institutional, public-sector, NGO, and international organization workflows. We build software systems and AI-enabled workflows for document-heavy operations, reviewable outputs, internal process automation, and accountable human decision-making.
This Trust Center summarizes Sanrin's current approach to security, privacy, AI governance, vendor management, and responsible delivery for procurement, security, and legal review. Additional control and architecture information can be provided to qualified review teams when relevant to a specific engagement.
Security
Sanrin applies a risk-based security baseline appropriate to the systems we build and operate. Core practices include role-based access control, least-privilege administration, multi-factor authentication for administrative systems, secure repository practices, change-management controls, and vulnerability-handling procedures.
For customer-facing systems, Sanrin uses secure defaults, controlled changes, dependency review, secret scanning, access logging, and operational logging that supports investigation and review. Backup and recovery procedures are documented according to the deployment model and customer requirements.
For Sanrin-hosted or Sanrin-managed customer workloads, encryption in transit and at rest is included in the deployment baseline through the underlying cloud and managed-service architecture. Detailed architecture, hosting, access-control, and operational information is available to qualified procurement teams on request.
Privacy
Sanrin handles personal information in accordance with applicable Canadian privacy requirements, including Quebec Law 25 and PIPEDA where they apply. We collect and use personal information for defined business and contractual purposes, limit unnecessary exposure, and apply operational safeguards appropriate to the engagement.
Customer data is governed through written agreements, confidentiality obligations, vendor review, access controls, and documented handling practices. Where services involve customer data, Sanrin can provide a Data Processing Addendum and contractual terms addressing confidentiality, permitted use, sub-processors, and operational responsibilities.
AI Governance
Sanrin uses AI to support workflows that remain reviewable, traceable, and accountable. AI-assisted outputs are designed to support human review and operational decision-making, not replace accountable decision-making in consequential workflows.
Sanrin's AI governance approach is structured with reference to the NIST AI Risk Management Framework and its Generative AI Profile. For AI-enabled engagements, Sanrin documents intended use, model or vendor choices, human-review expectations, evaluation practices, and change-control considerations appropriate to the scope of work.
Sanrin does not train models on customer data unless a written agreement explicitly permits it. Model, vendor, retention, and data-use details can be reviewed during procurement where they are relevant to a specific system or workflow.
Compliance Posture
Sanrin's security, privacy, and AI governance programs are structured around recognized procurement and risk-management frameworks relevant to institutional software delivery. The statuses below describe the current posture and should not be read as completed certifications or external attestations unless expressly stated.
Certifications and Attestations
| Program | Status | Notes |
|---|---|---|
| ISO/IEC 27001 | Program in progress | Security management framework. |
| SOC 2 | Future roadmap | Enterprise attestation path. |
| CSA STAR Level 1 | Planned | Cloud security self-assessment path. |
Reference Frameworks
| Framework | Use | Reference |
|---|---|---|
| NIST CSF 2.0 | Security program reference. | NIST Cybersecurity Framework |
| NIST AI RMF | AI governance, risk management, and oversight reference. | NIST AI Risk Management Framework |
| CIS Controls | Baseline cyber hygiene and operational control reference. | CIS Critical Security Controls |
| OWASP ASVS | Application security engineering and verification reference. | OWASP ASVS |
Contact
Procurement, security, privacy, and vendor-review inquiries may be directed to [email protected].