Established in 2007, Envoke is a 100% Canadian owned corporation registered in Ontario.

Our offices, servers and all customer data are all located in Canada – including backups.

Contact facing functionality is bi-lingual (i.e.: forms, subscription preferences page).

We provide in-house support and bill in Canadian Dollars.


Nationwide compliance

Automated consent and subscriptions management keeps your relationships on solid footing and enables compliance with federal privacy and anti-spam laws including PIPEDA, The Privacy Act and CASL, provincial private sector laws including PIPA (BC), PIPA (AB), P-39.1 (QC) and FIPPA (NS) and provincial and territory public sector privacy laws, such as FIPPA (BC), FOIP (AB), FIPPA (ON) and FOIPOP (NS).

CASL Compliance

Envoke includes tools to automatically collect, track and upgrade to express consent under CASL. All types of implied consent expiry dates are tracked to automatically suppress emails where consent is no longer valid. (rolling expiry date management). All consent changes are also logged for a complete audit-trail. The mandatory emails option allows sending messages to contacts who are contractually obligated to receive emails even if they didn’t opt-in. Additionally, Envoke automatically detects and manages contacts according to the rules of their governing country to accurately comply with foreign country legislation such as GDPR (EU) and Can-SPAM (US).

Read about detailed CASL functionality.


Data Centers in Canada

Envoke’s offices, servers and data are all located in Canada. Primary and secondary failover servers are located in two physically separate state-of-the-art data centers in Quebec. Envoke’s primary data center is certified ISO 27001:2005 for providing and operating dedicated cloud computing infrastructures. Operations are based on ISO 27002 and ISO 27005 security management and risk assessment norms and associated processes. The data center has obtained SOC 1 and 2 type II security certifications and has active Anti-DDoS mitigation infrastructure.

Servers and Operating Systems Security

Security updates for server and OS software is closely monitored, applied and tested as it becomes available. Physical access to the servers are restricted to only authorized users with password protected authorization keys on physical USB flash drives.

Data Encryption at Rest

All databases and uploaded files are stored on encrypted data volumes. Server data is encrypted at rest.

Database Access Control

Direct access to the database is limited to our developers. New developers are not provided with direct access to the database until they have completed a probationary period.

Application Access

System login and API access is available only via HTTPS 128 bit SSL security. All application pages are HTTPS by default except for publicly available content pages such as web versions of messages and landing pages. After five (5) unsuccessful login attempts the user account is temporarily blocked and triggers an alert to the administrator. Envoke passwords are a minimum of eight (8) characters and have to pass a strength algorithm.

Application Access from Foreign Countries

System access from IPs located outside North America are vetted manually. Access from a selection of high risk countries such as China, Vietnam and India is blocked by default for setting up trial and new accounts.

Office Security

Envoke’s office in downtown Toronto is secured with a combination lock system with separate entry codes for all employees with access. Office computers are encrypted and protected with strong passwords in accordance with standard security protocols.

Employee Security

All employees have had background police checks, have signed NDAs and have data access provisions in their employment contracts.



Open a 30 day trial account and see how Envoke can help you send compliant emails easily. Trial accounts come with full support.