About

Most of the breaches I've seen
had the same gaps.
That's why SeptZen exists.

Ottawa-based managed security for Ontario law firms and healthcare practices. Compliance-first, not compliance-adjacent.

Daniel

I started SeptZen after watching the same scenario play out too many times: a firm in Ontario gets hit by a phishing attack or a breach, and it becomes clear that the basics hadn't been done. DMARC wasn't configured. Backups hadn't been tested in months. Staff had never seen a phishing simulation. Most of it was preventable.

The bigger frustration was that these firms often already had an MSP. They thought they were covered. But most MSPs offer the same generic security stack to every client, whether that client is a restaurant or a law firm handling sensitive client matters under LSO guidance. For regulated industries, generic isn't good enough.

I built SeptZen to start from a different place: your regulatory obligations first, your technology second. Every engagement begins with what PHIPA, PIPEDA, and the LSO actually require, and we build outward from there. Not the other way around.

I stay involved throughout every engagement. You won't get handed off to a junior tech after signing. If something is wrong, the person who built your security program is the person who fixes it.

Security+ CISM PMP CISA: In Progress AZ-500: Planned ISO 27001 LI: Planned
At a glance
๐Ÿ“
Ottawa, Ontario Serving law firms and healthcare practices across Ontario.
๐ŸŽฏ
Compliance-first approach PHIPA, PIPEDA, LSO, ISO 27001. We know what your regulator expects and we build to that standard.
๐Ÿค
One point of contact, always You work directly with me. Not a helpdesk, not an account manager.
๐Ÿ”’
Certifications Security+, CISM, PMP. CISA and ISO 27001 Lead Implementer in progress.

A few things that shape
every engagement we take on.

๐ŸŽฏ

Compliance specificity

We never hand over generic recommendations. Every control, policy, and tool is mapped to a specific regulatory requirement you're subject to. PHIPA section 12. PIPEDA Principle 7. LSO Commentary 3.6-8. We name the rule.

๐Ÿ”ฌ

Evidence over assertions

Security isn't a checkbox exercise. We test controls, verify backups actually restore, and produce documentation that holds up under regulator scrutiny, not just policies that look good on paper.

๐Ÿ“ˆ

Scoped to your actual size

Whether you're a two-person clinic or a 40-person law firm, the compliance obligations are real. We scope our programs to your size and risk profile, not a one-size-fits-all stack.

Why only law firms
and healthcare?

Deep specialization produces better outcomes than broad generalism. Ontario law firms and healthcare practices share a specific challenge: they handle extremely sensitive personal information, face real regulatory consequences for breaches, and are increasingly targeted because their defences are often weak.

By working only in these two sectors, I can offer something a generalist MSP can't: I already know your compliance framework, I have policy templates built to your specific obligations, and I know what a regulator actually wants to see in an audit. That knowledge took years to build and I'd be diluting it if I spread across every industry.

If you're a law firm or healthcare practice in Ontario looking for an MSP who actually understands your world, that's the conversation I want to have.

Law firms: what's at stake Client confidentiality obligations, matter data protection, LSO compliance. A breach doesn't just cost money โ€” it can cost your practice its reputation with clients who trusted you with sensitive matters.
Healthcare: the PHIPA reality Ontario's health privacy legislation has teeth. Mandatory breach notification, Privacy Commissioner investigations, and fines. We've seen what happens when a clinic gets this wrong.
Both sectors: you're a target Regulated practices are specifically targeted because attackers know they hold valuable data and often have weaker defences than larger enterprises. That gap is exactly what we close.