Payment options
Supported currencies
- CAD
- USD
Accepted methods
- Bank transfer
- Wire transfer
- Card via payment provider
- Enterprise purchase order
All onboarding guides
Americas onboarding
Canada client onboarding guide
Canada onboarding guidance for PIPEDA/provincial privacy review, CAD/USD payment setup, data residency options, security review, and procurement documentation. This page helps your legal, procurement, security, privacy, finance, and engineering teams understand what is available before contract, what requires NDA, and what is finalized only in signed agreements.
Important note
This page is a general onboarding guide for clients located in Canada. It is not legal, tax, regulatory, cybersecurity, financial, or compliance advice. Final rights, responsibilities, IP ownership, security commitments, privacy commitments, data handling, payment terms, and service obligations are governed only by signed documents.
Detailed review pages
Everything your team may want before signing
Use these focused pages when legal, procurement, security, privacy, finance, or engineering teams need deeper detail than a country summary can safely hold.
NDA
Confidentiality process before product, security, architecture, commercial, or procurement details are shared.
MSA
Master services framework for payment, confidentiality, IP, security, privacy, liability, termination, and order of precedence.
SOW
Project-specific scope, deliverables, milestones, acceptance criteria, assumptions, dependencies, support, and change control.
DPA
Personal-data processing terms, instructions, security measures, subprocessors, transfers, support rights, and deletion/return.
Payments
Country-aware currency, invoice, purchase order, card provider, wire transfer, tax, fee, and refund/credit review path.
IP ownership
How client-specific deliverables, VarenyaZ background materials, open-source software, AI-assisted outputs, and payment-conditioned assignment are separated.
Secure SDLC
Secure design, peer review, testing, dependency scanning, secret scanning, CI/CD controls, release approval, and vulnerability remediation.
Document library
Public, on-request, NDA-required, legal-review, and contract-only materials organized for legal, procurement, security, and finance reviewers.
Process
The onboarding path from first conversation to handover
The goal is to make every step predictable for buyers, legal teams, procurement teams, and technical reviewers before work begins.
- Step 1
Before the first call
Confirm fit and review path
We identify service fit, country availability, regulated data, security review needs, procurement requirements, AI use case, data residency needs, and whether an NDA should come first.
- Step 2
Before detailed sharing
Execute or review NDA
A mutual NDA is available before confidential project, product, security, architecture, roadmap, budget, customer, or data details are exchanged.
- Step 3
Before proposal
Complete technical discovery
The discovery process captures objectives, users, scope, existing systems, integrations, data types, security expectations, accessibility needs, timeline, and acceptance criteria.
- Step 4
Before signature
Review MSA, SOW, DPA, and payment setup
The contracting package defines services, deliverables, payment, IP, confidentiality, security, privacy, change control, acceptance, support, and offboarding obligations.
- Step 5
Before kickoff
Set access, governance, and delivery controls
We confirm project owners, communication cadence, repository/cloud access, security boundaries, release process, reporting, decision logs, escalation path, and production access rules.
- Step 6
After delivery
Launch, handover, support, and offboarding
The project closes through launch support, documentation, repository or cloud handover, access revocation, credential rotation, data return/deletion, and support transition.
Before contract
Documents and reviews available before signature
Some materials are public. Some are available on request. Sensitive security evidence is NDA-controlled, and client-specific obligations belong in signed agreements.
| Document | Purpose | Status | Access | Details |
|---|---|---|---|---|
| Mutual NDA | Confidential technical, commercial, security, and product discussions before scope is finalized. | Available | On request | View details |
| Master Services Agreement | Master legal framework for services, payment, confidentiality, IP, limitations, and project governance. | Available | On request | View details |
| Statement of Work | Project-specific scope, assumptions, timeline, deliverables, pricing, acceptance criteria, and dependencies. | Available | After discovery | View details |
| Data Processing Agreement | Personal-data processing terms when VarenyaZ processes personal data on behalf of a client. | Available when applicable | Legal review | View details |
| Security Overview | High-level summary of secure delivery, access control, cloud security, backups, and incident handling. | Available | Public | View details |
| SOC 2 Readiness Summary | Readiness-oriented control posture summary. No SOC 2 certification or audit claim is made. | In progress | NDA required | View details |
| ISO/IEC 27001 Roadmap | Roadmap for ISMS maturity. No ISO/IEC 27001 certification claim is made. | In progress | NDA required | View details |
| Technical Discovery Form | Structured project, data, security, privacy, integration, accessibility, and delivery intake. | Available | Public | View details |
Commercial setup
Payment, invoicing, tax, and procurement
Payment terms should be confirmed before kickoff so procurement, finance, legal, and delivery teams do not block each other later.
Procurement notes
- Vendor onboarding, security questionnaires, and procurement documentation are supported after fit review.
Where card payments are supported, card details are processed by the payment provider. VarenyaZ does not intentionally store full payment card details in its own systems. Taxes, VAT, GST, withholding, bank fees, purchase-order rules, and invoice requirements should be confirmed by the client and reflected in the applicable agreement or invoice process.
Privacy
DPA, cross-border transfer, and data residency review
Privacy obligations depend on project role, data categories, data subject locations, subprocessors, cloud regions, support model, and contract terms.
Privacy notes
- PIPEDA or provincial privacy review may apply depending on client, user location, and data categories.
Transfer mechanisms
- DPA when applicable
- Subprocessor review
- Data-transfer review
Data residency options
- Client-owned Canadian cloud
- Canadian hosting by agreement
- Limited production access model
Discovery
Information your team should prepare
The technical discovery process turns a loose idea into contract-ready scope, risk review, architecture decisions, and delivery assumptions.
Business and procurement
- Company legal name, billing address, tax/VAT/GST ID, and accounts payable contact.
- Business owner, technical owner, legal/procurement contact, security contact, and privacy contact.
- Purchase order requirement, vendor onboarding form, contract template preference, target start date, target launch date, and budget range.
Project and product
- Project type, business goals, target users, countries of end users, current product status, success criteria, and out-of-scope items.
- Existing documentation, designs, source code, analytics, customer journeys, API docs, infrastructure diagrams, and third-party contracts.
- Expected deliverables, acceptance criteria, device/browser support, performance goals, accessibility target, and launch dependencies.
Data, privacy, and compliance
- Whether personal data, sensitive personal data, children data, health data, payment data, government data, financial data, or employment data is involved.
- Controller/processor role, DPA need, cross-border transfer need, subprocessor review, data residency need, retention expectations, and deletion requirements.
- Whether AI, automated decision-making, cookies, analytics, tracking, regulated-industry use, or public-sector requirements are in scope.
Technical and security
- Current stack, preferred stack, cloud provider, hosting region, authentication, authorization roles, admin roles, integrations, and payment systems.
- Repository provider, CI/CD process, deployment model, backup expectations, RTO/RPO expectations, logging, monitoring, and support needs.
- Security questionnaire, secure SDLC expectations, code review requirements, OWASP scope, vulnerability scanning, access approval, and production access model.
Do not submit passwords, API keys, private keys, production secrets, sensitive regulated data, or confidential customer data through public forms.
Advanced intake
Start the Canada review path.
Use this form to request NDA, MSA, SOW, DPA, payment setup, security review, and technical discovery in one structured intake.
Estimated routing
- NDA first
- Privacy review
Do not submit passwords, API keys, private keys, production secrets, regulated data, or confidential customer records.
Country review flags
- Privacy review
- Security review
- Procurement review
One form, multiple onboarding paths
Required fields are marked with an asterisk. We use these answers to route NDA, contract, privacy, security, payment, and technical discovery review.
Security and delivery
Secure engineering practices clients can review
Public pages provide a safe high-level view. Detailed security questionnaires, control mappings, implementation evidence, diagrams, and incident playbooks may require NDA.
Secure SDLC
Security requirements, secure design review, peer review, testing, dependency scanning, secret scanning, CI/CD controls, release approval, and post-release monitoring are selected based on risk and scope.
Code review
Pull requests, reviewer assignment, protected branches, automated checks, sensitive-change review, AI-generated code review, dependency review, and emergency-change handling are built into delivery governance.
Access control
Access is granted by role, project need, named accounts, least privilege, MFA where supported, client approval for production access, temporary access, logging, periodic review, and offboarding revocation.
Cloud security
Cloud responsibilities depend on client-owned or VarenyaZ-managed environments and may include IAM, regions, network boundaries, secrets, encryption, logging, environment separation, patching, and handover.
Backup and disaster recovery
Backup frequency, retention, encryption, location, restore testing, RTO, RPO, DR owner, production recovery, and client-cloud responsibilities are defined per project and contract.
OWASP practices
Web and API projects can use OWASP Top 10 awareness, ASVS-inspired verification, input validation, output encoding, auth review, access-control testing, file-upload review, and security regression tests.
Readiness without overclaiming
SOC 2 readiness and ISO/IEC 27001 roadmap
These are intentionally careful public claims. Formal certification or audit status should never be implied before it exists.
SOC 2 status
VarenyaZ is not currently SOC 2 certified or SOC 2 audited. We are building a SOC 2 readiness program and can share selected readiness materials under NDA where appropriate.
ISO/IEC 27001 status
VarenyaZ is not currently ISO/IEC 27001 certified. We are developing an ISO 27001 roadmap and will not claim certification unless certification is completed by an accredited certification body.
Access levels
What is public, NDA-only, or contract-only
This split makes onboarding transparent without exposing sensitive security details or accidentally creating legal obligations outside signed documents.
Public
- Country onboarding guide
- Service overview
- General security overview
- Secure SDLC summary
- AI Policy
- Privacy Policy
- Accessibility Statement
- Supplier Code of Conduct
NDA required
- Detailed security questionnaire
- Architecture discussion notes
- Access-control matrix
- Incident response summary
- Backup/DR summary
- SOC 2 readiness summary
- ISO 27001 roadmap details
- Pen test summary, if available
Contract only
- Signed MSA
- Signed SOW
- Signed DPA
- SCCs or UK transfer addendum where applicable
- Security addendum
- Client-specific SLA
- Client-specific IP assignment terms
- Client-specific data return or deletion obligations
Local overlay
Canada-specific onboarding notes
These notes help buyers identify local questions early. They do not replace legal, tax, privacy, procurement, or security review.
- Clients should identify provincial privacy, public-sector, health, financial, and data residency requirements during discovery.
Buyer questions
Frequently asked onboarding questions
Can we review an NDA before sharing details?
Yes. VarenyaZ can provide a mutual NDA or review a client-provided NDA before confidential technical, commercial, security, or product details are exchanged.
Can we review MSA and SOW templates?
Yes. An MSA template is available on request. A project-specific SOW is usually prepared after discovery because scope, assumptions, payment, acceptance, and dependencies need project context.
Who owns the code and designs?
Final ownership is governed by the signed MSA and SOW. Client-specific deliverables can be assigned or licensed as agreed, while VarenyaZ background technology, reusable methods, templates, tools, and know-how are not automatically transferred.
Is VarenyaZ SOC 2 certified?
No. VarenyaZ is not currently SOC 2 certified or SOC 2 audited. We are building a SOC 2 readiness program and can share selected readiness materials under NDA where appropriate.
Is VarenyaZ ISO/IEC 27001 certified?
No. VarenyaZ is not currently ISO/IEC 27001 certified. We are developing an ISO 27001 roadmap and will not claim certification unless certification is completed by an accredited certification body.
Can you work in our cloud account?
Yes, when appropriate. Access should be granted through named accounts, least privilege, MFA where supported, client-approved scopes, audit logging, temporary access rules, and offboarding revocation.
Start the Canada onboarding review
Send your country, service need, timeline, procurement requirements, security review needs, and whether you need NDA first. We will route the request to the right commercial, technical, privacy, or security review path.