Security Policy

This page explains how to report potential security issues related to the CFC™ Certification Portal. We protect professional credentialing systems that support public trust, privacy, and data stewardship.

Active policyUpdated Feb 2026

1Purpose

Canadian Association for Financial Empowerment (CAFE) operates credentialing and verification systems that support professional standards for financial counselling. Security is part of that trust.

We steward information with strong privacy discipline. CAFE designs in alignment with the spirit of OCAP® and recognises distinct First Nations, Métis, and Inuit data sovereignty frameworks; the Data Sovereignty Statement governs our approach in detail.

Capacity note: We review credible reports as capacity permits. Please avoid public disclosure until we have assessed the issue.

3No unsolicited testing

CAFE does not operate a bug bounty program and does not authorise unsolicited security testing, scanning, probing, exploitation, or validation activity against our systems.

Activity that attempts to identify, confirm, or exploit vulnerabilities without explicit written authorisation may be treated as unauthorised access behaviour and handled under applicable Canadian law and our internal incident response processes.

4What to include in a report

  • Impacted URL, subdomain, or system component
  • Non-destructive steps to reproduce
  • What you observed and why you believe it is a vulnerability
  • Date and time discovered (include timezone)
  • Evidence that avoids personal data, client data, and credential content

5What we ask you not to do

  • Do not access, copy, alter, or delete data
  • Do not attempt account access, privilege escalation, or lateral movement
  • Do not run denial-of-service tests or high-volume scanning
  • Do not publicly disclose details before we have assessed and remediated the issue

6Scope

This policy applies to:

  • certification.cafe-acaf.org and subdomains
  • Portal infrastructure supporting credential issuance and verification
  • APIs served from the certification portal
  • Certificate verification systems
  • The CFC™ directory and related public endpoints

For issues involving www.cafe-acaf.org (Squarespace-hosted), report through Squarespace support channels and notify CAFE if the issue affects CAFE users or credentialing workflows.

7Authorised research by consent

We respect legitimate security research and welcome collaboration conducted by consent, with defined scope, written authorisation, and safeguards appropriate to credentialing and privacy-sensitive systems.

If you wish to propose an authorised engagement, contact compliance@cafe-acaf.org. Research partnerships may be acknowledged publicly where appropriate.

8Foreign legal process

The CAFE Certification Command Centre is hosted on the Serving Ethics server, a Canadian-located server stewarded by William Moores. No third-party cloud provider holds the platform itself, and no US-citizen administrative access stands between user data and the platform.

The US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) compels US-domiciled vendors to disclose data in their custody regardless of where the data is physically stored. The USA PATRIOT Act may further impose a gag clause that prevents the affected party from being notified. The Office of the Privacy Commissioner of Canada has confirmed that Canadian data residency alone cannot guarantee protection from foreign legal processes when the responsible vendor is US-domiciled.

For Indigenous data this exposure is incompatible with First Nations OCAP Ownership and Possession, with Métis data governance frameworks, and with Inuit access, ownership, and control under NISR. CAFE’s choice to keep the platform itself, and all categories of Indigenous, designee profile, certification, and CEU data, on the Serving Ethics server is the structural mitigation of this risk.

9Sub-processor disclosure

Two narrowly-scoped US-domiciled sub-processors are used for specific operational functions, both with limited payload categories.

Stripe Inc.

Used only for payment processing. Stripe processes payment-instrument data (card details, billing information, transaction records). Stripe does not receive Indigenous identity, Nation affiliation, designee profile detail, Code of Ethics attestations, CEU records, or any other categories of personal or collective data held in the certification platform.

Google Workspace

Used for transactional email automations during the platform’s email-infrastructure transition. Google receives the data required to deliver each email: recipient address, recipient name where it appears in a template, subject line, and body text. By design, the email body carries only the notification headline and a link back to the recipient’s Dashboard. Substantive platform data, including Indigenous identity, Nation affiliation, CEU reflection statements, designee profile detail, and certificate detail, remains on the Serving Ethics server and is reachable only when the recipient logs in. We treat email addresses as personal information for PIPEDA purposes and disclose this sub-processor accordingly.

All other infrastructure, including database, application servers, authentication, and file storage, operates on the Serving Ethics server with no foreign administrative reach. The Google Workspace arrangement is transitional and the limited payload scope is the structural mitigation in the interim.

CFC™ Certified Financial Counsellor

OCAP® is a registered trademark of the First Nations Information Governance Centre (FNIGC). Learn more about OCAP® or visit fnigc.ca.