Security FAQs
MSP FAQs
Privacy FAQs
General FAQs
Integration FAQs
Support FAQs
Lavawall® was built from the ground up with the Minimum Viable Secure Product requirements in mind.
Some of the controls we implemented include:
Some of the controls we implemented include:
- PassKeys as the preferred primary authentication at no additional cost
- Single Sign-on using modern, maintained, and industry-standard protocols for all customers at no additional cost
- Multi-Factor Authentication as a non-negotiable default
- Encrypting communications the same way as TLS again within the TLS tunnel, so we can allow TLS inspection without breaking like Huntress or disclosing security vulnerabilities to eavesdroppers.
- Encouraging external vulnerability reports and customer testing
- Passwords checked against popular disclosed passwords, hashed before they leave your computer, and then stored using Argon2id
- Not requiring the use of passwords at all. We consider them a temporary backup authentication in case you can't use passkeys or SSO.
Lavawall® scanning computers are on dedicated servers in Calgary, Alberta, Canada. Some domain scanning functionality is on AWS servers in Montréal, Québec, Canada.
Where practical, we cache
Lavawall® databases and front-end systems are hosted with AWS in Montréal, Québec, Canada.
If you are outside of Canada and would like your information stored in another country, please contact us and we will move your data and endpoints to another region if you and your compatriots have a sufficient number of computers within Lavawall®.
Lavawall® agent executables are compiled in Calgary, Alberta, Canada.
We send emails through AWS in Ireland and dedicated servers in Calgary, Alberta, Canada.
We send text messages for additional identity verification through Twilio in the United States.
We store executables and pass requests through Cloudflare at your nearest edge location.
We use Cloudflare for risk management, turnstile, and web application firewall services.
We used to use LeadPages and Hubspot for landing pages. Although we have migrated to our own systems, we are still in the process of disabling these pages.
We use Google and Facebook for analytics on our public-facing pages, but they do not have access to the console.
We used to use Hubspot and Zendesk for analytics, CRM, and support. However, have migrated to Lavawall® instead because we get a lot more value without the privacy concerns, cost, or performance issues. These services never had access to information in the Lavawall® console, but did receive information submitted in the public contact forms. We are still in the process of removing these integrations.
We integrate with third-party tools, such as Microsoft, Google, Huntress, Sophos, Screen Connect, Axcient, and Datto in their respective locations. However, you must initiate these integrations through single sign-on or by enabling them in your Lavawall® console.
Where practical, we cache
Lavawall® databases and front-end systems are hosted with AWS in Montréal, Québec, Canada.
If you are outside of Canada and would like your information stored in another country, please contact us and we will move your data and endpoints to another region if you and your compatriots have a sufficient number of computers within Lavawall®.
Lavawall® agent executables are compiled in Calgary, Alberta, Canada.
We send emails through AWS in Ireland and dedicated servers in Calgary, Alberta, Canada.
We send text messages for additional identity verification through Twilio in the United States.
We store executables and pass requests through Cloudflare at your nearest edge location.
We use Cloudflare for risk management, turnstile, and web application firewall services.
We used to use LeadPages and Hubspot for landing pages. Although we have migrated to our own systems, we are still in the process of disabling these pages.
We use Google and Facebook for analytics on our public-facing pages, but they do not have access to the console.
We used to use Hubspot and Zendesk for analytics, CRM, and support. However, have migrated to Lavawall® instead because we get a lot more value without the privacy concerns, cost, or performance issues. These services never had access to information in the Lavawall® console, but did receive information submitted in the public contact forms. We are still in the process of removing these integrations.
We integrate with third-party tools, such as Microsoft, Google, Huntress, Sophos, Screen Connect, Axcient, and Datto in their respective locations. However, you must initiate these integrations through single sign-on or by enabling them in your Lavawall® console.
Please report bugs through our contact form.
For urgent security issues, lease call us at 1-403-538-5053 and select 1 or say support.
Please note that your IP address will be banned for doing generic vulnerability scans and high-volume scans/denial of service attacks.
Given that we are in the initial launch, our compensation structure is very dynamic. In all cases, however, we will publicly acknowledge your contribution in our Change Log and welcome any suggestions.
For urgent security issues, lease call us at 1-403-538-5053 and select 1 or say support.
Please note that your IP address will be banned for doing generic vulnerability scans and high-volume scans/denial of service attacks.
Given that we are in the initial launch, our compensation structure is very dynamic. In all cases, however, we will publicly acknowledge your contribution in our Change Log and welcome any suggestions.
We encourage primary authentication for Lavawall® through Passkeys or Single Sign On (SSO).
However, we do allow passwords and use passwords as part of the zero-knowledge encryption for your clients' sensitive data, such as Bitlocker keys and Personally-Identifiable Information (PII).
These passwords use Argon2id slow hashes with individual salts and peppers. They go through a few hash rounds on your computer before being sent to our servers for further hashing.
However, we do allow passwords and use passwords as part of the zero-knowledge encryption for your clients' sensitive data, such as Bitlocker keys and Personally-Identifiable Information (PII).
These passwords use Argon2id slow hashes with individual salts and peppers. They go through a few hash rounds on your computer before being sent to our servers for further hashing.
Yes! Lavawall communicates with its endpoints through TLS. However, given that many of our clients want to be as secure as possible and have
TLS inspection enabled, we allow for "insecure" connections with invalid certificates, which result from such configurations.
We have added an additional secure tunnel that mimics the TLS process within the public TLS tunnel. This extra tunnel provides authentication and privacy for the workstations and the Lavawall® servers to prevent attacks such as the one that took down Solar Winds.
We have added an additional secure tunnel that mimics the TLS process within the public TLS tunnel. This extra tunnel provides authentication and privacy for the workstations and the Lavawall® servers to prevent attacks such as the one that took down Solar Winds.
We do not enable remote access tools like ScreenConnect unless you authorize them
and are logged in. Lavawall® was not vulnerable to the ScreenConnect vulnerability
because we install and uninstall it right before it's used. In addition, we give the option of linking to Access.
Remote access is not enabled for read-only and audit situations.
Remote access is not enabled for read-only and audit situations.
Lavawall®'s designer holds a CISSP and CISA. In addition, we have external and internal security reviews.
No.
We do not sell, trade, or exchange any of the information that we collect to make Lavawall® work. Email addresses, usernames, company statistics, etc. are only used within the tool and are not shared with anyone outside of ThreeShield except as required to make Lavawall® work.
We do not sell, trade, or exchange any of the information that we collect to make Lavawall® work. Email addresses, usernames, company statistics, etc. are only used within the tool and are not shared with anyone outside of ThreeShield except as required to make Lavawall® work.
You can deploy Lavawall® with any RMM that can deploy a Powershell, Linux Bash, or Mac ZSh shell.
The Add a Computer page includes simple Powershell, Linux Bash, and Mac scripts to install the agent with any RMM.
We have specific instructions to set up variables with Datto RMM to easily deploy to all of your Datto RMM sites.
We also have instructions for Atera, Connectwise, Panorama9, and N-able.
We are adding additional RMMs. Call our support team and we’ll set up an integration for your RMM.
The Add a Computer page includes simple Powershell, Linux Bash, and Mac scripts to install the agent with any RMM.
We have specific instructions to set up variables with Datto RMM to easily deploy to all of your Datto RMM sites.
We also have instructions for Atera, Connectwise, Panorama9, and N-able.
We are adding additional RMMs. Call our support team and we’ll set up an integration for your RMM.
Lavawall® indicates which computers have any of the following servies installed:
Huntress
Axcient
Datto RMM
Sophos
Panorama9
Lavawall also has API integrations with:Axcient*
Cloudflare*
Connectwise Screen Connect*
Datto RMM*
FreshDesk*
Huntress*
Microsoft 365*
Panorama9*
ZenDesk*
*In limited release/development
Lavawall also has API integrations with:
Lavawall® indicates which computers have any of the following servies installed:
Lavawall® breaks vulnerabilities into the following groups:
- Domain risks
- Operating System (OS) patches
- Application patches
- Network vulnerabilities
- Cloud vulnerabilities
- OS configurations
Yes!
You can use your own logo for the console and notifications. You can also use a CNAME to automatically brand your console.
Note: you cannot currently re-proxy the CNAME to Lavawall® through Cloudflare, but we are already behind Cloudflare.
You can use your own logo for the console and notifications. You can also use a CNAME to automatically brand your console.
Note: you cannot currently re-proxy the CNAME to Lavawall® through Cloudflare, but we are already behind Cloudflare.
Yes!
Lavawall® supports the following operating systems:All versions of Windows 10 and 11.
Debian, Ubuntu, Mint, and RedHat-based Linux distributions
MacOS
Lavawall® does not currently support non systemd distributions, such as Devuan, Artix Linux, PCLinuxOS, OpenWRT, and DD-WRT. However, we will support them by the end of 2025.
In June 2024, we combined the Windows and Linux systems for a consistent experience. This added support for RedHat and MacOS.
Lavawall® supports the following operating systems:
Lavawall® does not currently support non systemd distributions, such as Devuan, Artix Linux, PCLinuxOS, OpenWRT, and DD-WRT. However, we will support them by the end of 2025.
In June 2024, we combined the Windows and Linux systems for a consistent experience. This added support for RedHat and MacOS.
Lavawall® support is entirely in Canada from 8:00AM Eastern (Toronto) to 6:00PM Pacific (Vancouver).
For those in Mountain (Calgary) time, that is 6:00AM to 7:00PM.
Chat support is primarily supported from Alberta and BC. We have limited chat support before 8:00AM Mountain time.
For those in Mountain (Calgary) time, that is 6:00AM to 7:00PM.
Chat support is primarily supported from Alberta and BC. We have limited chat support before 8:00AM Mountain time.
The scanner’s default settings are non-intrusive and low impact. Unless you select the option to do so, it won’t scan ports for administrative services like SSH, databases, or Remote Desktop. Those ports tend to trigger alerts in some systems and we don’t want to receive abuse complaints. If you do select that option, the scanner only makes a short connection to the related ports. It doesn’t try to do any brute force or DDOS attacks. It doesn’t crawl the website or do rapid page requests. As such, in most situations, it isn’t only non-intrusive, but most systems won’t even notice it.
We hear you! As a managed IT provider, we feel your pain. The good news is your users can easily install it themselves or you can deploy it with your existing RMM or MDM without requiring an MDM or any security & privacy settings.
Seriously.
We were amazed that it worked too, but it is the easiest Mac security tool we’ve ever used.
Seriously.
We were amazed that it worked too, but it is the easiest Mac security tool we’ve ever used.
Maybe.
We’re building more automated fix-it tools into Lavawall®, so it’s possible that if you ask us to help you, we might be able to give you early access to fix the problem yourself with one click.
If you’re working with one of our Managed IT Service Provider (MSP) partners, then we’ll direct you to them.
If you’re an MSP, we’ll happily help you directly or support your clients with our white-label service.
ThreeShield Information Security, the people who made Lavawall®, is an MSP for MSPs: ThreeShield provides Level 3 and cyber security support for IT companies and internal IT departments and are happy to support you behind the scenes to make you a rock star cybersecurity-enabled MSP.
We understand that this is a bit complicated. However, Lavawall ® grew out of our MSP practice, where we endured vendors going around us to serve our clients directly so they could make a couple bucks and we don’t ever want to do that to our partners.
We’re building more automated fix-it tools into Lavawall®, so it’s possible that if you ask us to help you, we might be able to give you early access to fix the problem yourself with one click.
If you’re working with one of our Managed IT Service Provider (MSP) partners, then we’ll direct you to them.
If you’re an MSP, we’ll happily help you directly or support your clients with our white-label service.
ThreeShield Information Security, the people who made Lavawall®, is an MSP for MSPs: ThreeShield provides Level 3 and cyber security support for IT companies and internal IT departments and are happy to support you behind the scenes to make you a rock star cybersecurity-enabled MSP.
We understand that this is a bit complicated. However, Lavawall ® grew out of our MSP practice, where we endured vendors going around us to serve our clients directly so they could make a couple bucks and we don’t ever want to do that to our partners.
You’re pretty fast!
When the device agent first installs, it assigns a GUID like the name that you saw. This means that it has installed, but hasn’t had a chance to gather any information. If you refresh after a few seconds, the real name will appear.
If you click on details, the Hardware information should appear within the first minute, followed by configuration and storage information. Processes take a few minutes to calculate. After a few minutes, you'll get the process information along with installed applications and missing patches.
You won’t see the graphs in the processes until Lavawall® has had a chance to monitor them for a bit. The installed applications and missing patches take a few minutes for us to assemble. First, we have to collect the applications, then compare them with our patch and vulnerability listings. These happen on a server-side schedule, so the time it takes to calculate them depends on the minute that the computer came online. Sometimes, it can take up to five minutes.
You might notice dots in the Performance Trends tab instead of a nice graph. This is because Lavawall® will only have one data point.
When the device agent first installs, it assigns a GUID like the name that you saw. This means that it has installed, but hasn’t had a chance to gather any information. If you refresh after a few seconds, the real name will appear.
If you click on details, the Hardware information should appear within the first minute, followed by configuration and storage information. Processes take a few minutes to calculate. After a few minutes, you'll get the process information along with installed applications and missing patches.
You won’t see the graphs in the processes until Lavawall® has had a chance to monitor them for a bit. The installed applications and missing patches take a few minutes for us to assemble. First, we have to collect the applications, then compare them with our patch and vulnerability listings. These happen on a server-side schedule, so the time it takes to calculate them depends on the minute that the computer came online. Sometimes, it can take up to five minutes.
You might notice dots in the Performance Trends tab instead of a nice graph. This is because Lavawall® will only have one data point.
In short, the agents require root or administrator rights and the Microsoft 365 plugin requires extensive read permissions. See the permissions page for more details.
The Lavawall® Phishing Reporter is a free Microsoft Outlook add-in that analyzes every email a user opens and shows a color-coded banner indicating how safe it is. Users can report suspicious emails with one click, which files a report with the Lavawall® console and optionally with Microsoft, IT support, and the organization's security team.
The add-in runs in Outlook on the web, new Outlook on Windows, classic Outlook on Windows, Outlook on Mac, and Outlook on iOS and Android. It analyzes emails when a message is opened without having to submit the message for manual review. However, it does include an option to manually submit, if desired.
The tool reviews the email headers, links, and other signals that Microsoft's SafeLinks and Defender filtering miss. However, it also layers on top of Microsoft's own spam and phishing filtering, and reputation lookups against public threat-intelligence sources.
To enhance privacy, the tool caches most frequently-used domains and signals from your company and Lavawall®'s users on your computer so tests for most emails never leave your computer. Third-party lookups happen from our servers so threat-intelligence systems can't associate the requests with your IP address.
The add-in runs in Outlook on the web, new Outlook on Windows, classic Outlook on Windows, Outlook on Mac, and Outlook on iOS and Android. It analyzes emails when a message is opened without having to submit the message for manual review. However, it does include an option to manually submit, if desired.
The tool reviews the email headers, links, and other signals that Microsoft's SafeLinks and Defender filtering miss. However, it also layers on top of Microsoft's own spam and phishing filtering, and reputation lookups against public threat-intelligence sources.
To enhance privacy, the tool caches most frequently-used domains and signals from your company and Lavawall®'s users on your computer so tests for most emails never leave your computer. Third-party lookups happen from our servers so threat-intelligence systems can't associate the requests with your IP address.
After creating a free Lavawall® account and connecting your Microsoft 365 tenant via single sign-on, go to the Phishing Reports → Add-in Setup tab in the console. The console generates a tenant-specific manifest URL and an XML manifest file that you deploy through the Microsoft 365 admin center under Integrated apps → Upload custom apps.
Once deployed, the add-in appears on the Outlook ribbon as Report Phishing for every user in the assigned groups. No per-user installation is required.
For MSPs, each customer tenant gets its own manifest with its own tenant identifier embedded in the SSO configuration. You deploy the manifest once per customer.
Once deployed, the add-in appears on the Outlook ribbon as Report Phishing for every user in the assigned groups. No per-user installation is required.
For MSPs, each customer tenant gets its own manifest with its own tenant identifier embedded in the SSO configuration. You deploy the manifest once per customer.
When the analyzer encounters an unfamiliar domain (either the sender's domain or a link target), it may query the following external reputation sources to help classify the domain:
Verdicts are cached in our Canadian database (24 hours for clean results, 7 days for flagged ones) so the same domain is not re-queried repeatedly. Sources are rotated so that no single service sees all of our queries.
This is enabled by default under the GDPR Article 6(1)(f) legitimate-interest basis for network and information security (Recital 49). You can turn it off per-tenant from the Settings tab if your organization has a regulatory requirement restricting outbound reputation queries.
- PhishDestroy — a volunteer-maintained, non-commercial database of phishing and scam domains. Free to query; no API key required. Hosted in Europe.
- Cloudflare 1.1.1.2 malware-blocking DNS — a public DNS resolver that returns
0.0.0.0for domains categorized as malware. No API; standard DNS query. - Quad9 9.9.9.9 secure DNS — a public DNS resolver operated by a Swiss non-profit that returns
NXDOMAINfor domains on its security blocklist. No API; standard DNS query. - OpenDNS (Cisco) — a public DNS resolver that redirects known phishing domains to a block-page IP. No API; standard DNS query.
- URLhaus (abuse.ch) — a community threat-intelligence feed of malicious URLs. We download a CSV snapshot nightly and import it into our local reputation database so we do not make runtime queries to URLhaus.
Verdicts are cached in our Canadian database (24 hours for clean results, 7 days for flagged ones) so the same domain is not re-queried repeatedly. Sources are rotated so that no single service sees all of our queries.
This is enabled by default under the GDPR Article 6(1)(f) legitimate-interest basis for network and information security (Recital 49). You can turn it off per-tenant from the Settings tab if your organization has a regulatory requirement restricting outbound reputation queries.
The add-in sends data to two places:
RDAP (Registration Data Access Protocol) lookups for domain age and registrar are sent to the authoritative TLD registry (for example, Verisign for .com). These are cached in our database for 30 days to minimize repeat queries.
Full details are in our Privacy Policy, section 6 (sub-processors) and the Phishing Reporter–specific data-flow section.
- Your Lavawall® console (hosted in Canada). When a user reports an email as phishing, the message headers, plain-text body, link list, and attachment metadata are transmitted for analysis and stored with your tenant's reports. When background analysis runs on an opened message, only message headers, sender information, link list, and subject are sent — not the full body.
- External reputation services (PhishDestroy, Cloudflare 1.1.1.2, Quad9, OpenDNS). Only the bare domain name of unfamiliar senders and link targets is sent. No email contents, no URL paths, no user information.
RDAP (Registration Data Access Protocol) lookups for domain age and registrar are sent to the authoritative TLD registry (for example, Verisign for .com). These are cached in our database for 30 days to minimize repeat queries.
Full details are in our Privacy Policy, section 6 (sub-processors) and the Phishing Reporter–specific data-flow section.
Log into the Lavawall® console, go to Phishing Reports → Settings, and uncheck “Check domains against external reputation services”. The setting is per-tenant and takes effect immediately for all new analyses.
Disabling external lookups reduces detection coverage — domains that are not yet in our local reputation database and not flagged by our built-in DGA / typosquat / recipient-identifier heuristics may be scored lower than they would be with external corroboration. We recommend disabling this only if your organization has a specific regulatory requirement that restricts outbound reputation queries.
Disabling external lookups reduces detection coverage — domains that are not yet in our local reputation database and not flagged by our built-in DGA / typosquat / recipient-identifier heuristics may be scored lower than they would be with external corroboration. We recommend disabling this only if your organization has a specific regulatory requirement that restricts outbound reputation queries.
The analyzer looks for domain patterns that are very rare in legitimate business email but extremely common in phishing infrastructure:
- Word + numeric suffix on an unrecognized apex — e.g.
meili880.com,billing42.top. Legitimate short-form brand names like 3M, 7-Eleven, 23andMe, M3, H3, o365, and office365 are not flagged. - High-entropy / gibberish apex labels — e.g.
xozekcj.biz,qkzrmvgh.cf. Detected using consonant/vowel ratio, English n-gram bigram frequency, and consecutive-consonant run length. - Trust-building keywords embedded in the apex — e.g.
secure-microsoft-login.tk,verify-account.xyz. - Frequently-abused top-level domains —
.xyz,.top,.tk,.ml,.cf,.ga,.gq,.click,.link,.cfd,.sbs,.cyou, and others based on current Spamhaus and Interisle abuse-rate reports. - URL shorteners —
bit.ly,tinyurl.com,t.co,lnkd.in,app.link,page.link,2no.co, and ~50 others. Legitimate business email rarely uses shorteners, and phishing attackers love them because they hide the destination from the user and from reputation filters. - Punycode / IDN homoglyph attacks — e.g.
xn--micrsoft-79a.com(which reads as “micrǒsoft.com” with a non-ASCII character). - Excessive subdomain depth —
login.verify.update.secure.bad.top. - Typosquat distance to protected brands — edit distance and homoglyph-substitution distance against Microsoft, Google, Office 365, SharePoint, OneDrive, Dropbox, Box, Adobe, Apple, DocuSign, PayPal, Amazon, eBay, LinkedIn, Facebook, and the customer's own configured brand domains.
- Recipient identifier embedded in URL query strings — 14 encodings detected including plaintext, URL-encoded, base64, base64url, hex, punycode, ROT13, reversed, and plus-aliased. A link like
https://bad.xyz/login?email=alice@acme.comis an immediate red flag because legitimate sites do not pre-fill credentials this way.
Yes. MSPs deploy the add-in once per customer tenant. Each customer has their own isolated:
- Report database (phishing reports from Customer A are not visible to Customer B)
- Domain reputation list (global reputation entries plus tenant-specific entries)
- Partner domain list (trusted external senders, with optional inheritance to child companies)
- Settings (notification email, ticketing, external reputation toggle, pop-up customization)
- Outlook add-in manifest with its own tenant identifier and SSO configuration
- Partner domains inherit to children — mark
lavawall.comas trusted at the MSP level with scope “children”, and it applies automatically to every customer you manage. - Parent M365 domains auto-trusted — if your MSP shares an M365 tenant hierarchy, the parent tenant's verified domains are automatically treated as partner domains for child tenants.
- MSP reporting — roll-up dashboards across all customer tenants, without exposing individual reports to other MSPs.
- Billing — no per-tenant or per-user fees. Deploy to as many customers as you want.
The Outlook add-in itself requests
The console-side M365 integration (used for reading tenant domain list and partner domain enrichment) uses OAuth 2.0 single sign-on with these scopes:
ReadWriteMailbox, which allows it to read the currently-opened message, move it to the Junk or Deleted folder, and display notifications. This is the standard permission for event-based Outlook add-ins.
The console-side M365 integration (used for reading tenant domain list and partner domain enrichment) uses OAuth 2.0 single sign-on with these scopes:
User.Read— sign-in and user profileDomain.Read.All— enumerate verified domains on the tenant (so we know which domains belong to your organization for alert classification)offline_access— keep the integration working without repeated sign-in prompts
Mail.Read, Mail.ReadWrite, or any permission that would let the console read mailboxes outside of the user's own Outlook session. All email analysis happens inside Outlook via the add-in; Lavawall® phishing tools never fetch mail from M365 directly.
The Phishing Reporter runs on all current Outlook platforms:
- Outlook on the web (
outlook.office.com) - Outlook on Windows (Microsoft 365) — the new, WebView-based Outlook
- Outlook on Windows 2016 / 2019 / 2021 / LTSC (classic Outlook on Windows)
- Outlook on Mac (Microsoft 365 and 2019+)
- Outlook on iOS
- Outlook on Android
Mailbox 1.15 or later, which covers all Microsoft 365 subscriptions and supported Outlook 2019 / 2021 / LTSC builds.
Often, yes. Microsoft Defender for Office 365 and Exchange Online Protection already catch the bulk of obvious phishing. The Phishing Reporter focuses on the evasive cases that reach the inbox:
- Fresh throwaway domains registered hours or days before sending — no reputation signal exists yet, but DGA-pattern heuristics and young-domain multipliers catch them.
- Typosquats of customer brands — Defender protects the biggest brands well but does not know your customer-specific protected brands.
- URL shorteners hiding phishing destinations — Defender often lets these through because the shortener domain itself (
bit.ly,app.link) is clean. - Recipient identifier in URL — credential-prefill links are not a standard Defender signal.
- Authentication result inspection — we show SPF / DKIM / DMARC results in plain language with scoring, so users understand why an email is suspicious.
- Partner domain awareness — Defender treats all external senders equally; we know which external domains you trust (
lavawall.com, partner MSPs, verified vendors) and color-code accordingly.
All phishing reports are stored on Lavawall® Canadian infrastructure:
- Report data, headers, message bodies, link lists, attachment metadata: AWS data center in Montréal, Québec, Canada
- Analysis engine, IP enrichment, MaxMind GeoIP database: dedicated servers in Calgary, Alberta, Canada
- Reputation cache: same Canadian database as reports