Compliance posture

Carriers regulated by FSRA, AMF, and other Canadian provincial regulators need MGA partners who can demonstrate compliance discipline. Here is what Crystallux ships with today and what is roadmapped.

Regulatory alignment

• FSRA-aligned suitability + replacement disclosure workflows
• PIPEDA-compliant consent collection at every client touchpoint
• CASL-compliant outreach: every channel-of-record stored with timestamped consent
• FINTRAC AML basics: KYC + source-of-funds + PEP/sanctions screening on every application
• 30-day advisor onboarding curriculum with supervisor signoff covering licensing, AML, privacy, replacement, suitability

Platform safeguards

• Audit trails on every state-mutation (regulatory_audit_log)
• Append-only insurer access log — every report view, export, and login captured
• Encryption at rest (Supabase pg encryption) and in transit (TLS 1.3)
• Role-based access controls: advisor / sub_agent / mga_principal / compliance_officer / supervisor / admin / insurer_user
• Session expiry: 4 hours for insurer sessions; 24 hours for advisor sessions
• AES-256-GCM application-layer encryption for license numbers + E&O policy numbers

Roadmap

• SOC 2 Type 1 — Year 2 target after first 10 paying customers
• ISO 27001 — Year 3
• Immutable audit ledger with cryptographic chaining
• Penetration testing on every quarterly release

Carriers can request a current compliance posture document under NDA via the contact form.