Darts Solutions Inc. is a Canadian software company based in Concord, Ontario, building products that serve individuals with developmental disabilities and autism — and the public-sector partners that fund them. Their two flagship platforms are MyDirectPlan, which helps people manage the government funding they receive directly, and MyCommunityHub, which handles registration and access to community services for the same population. Both products operate at the boundary between sensitive personal data, government-managed benefits, and front-line social-services delivery — which means any deployment into a public-sector environment has to pass an independent third-party security review before the procurement officers will sign off.
What we did
We ran a structured penetration-testing engagement across both products — covering authenticated and unauthenticated attack surfaces, the web application layer, and the back-end APIs. The work combined manual review (where most of the high-severity findings live) with tool-assisted scanning, then a remediation phase where we partnered with Darts’ own engineers to prioritize each issue, agree on the fix, and verify it had landed before signing off. The output of the engagement was the formal independent report that procurement officers needed to clear the apps for deployment.
Why it mattered
For products like MyDirectPlan and MyCommunityHub, the security review isn’t a tick-box exercise — it’s the gate between the software working and the software being allowed to work for the people it’s built to serve. Independent third-party review of this kind is a prerequisite for most Ontario government RFPs, so the certificate Darts got out of the engagement unlocks a sales channel as much as it verifies the engineering. Both products cleared the review and proceeded into public-sector deployment.
Concrete metrics from the engagement — vulnerabilities found by severity, time-to-remediation, scope of test passes — can be added here once Darts Solutions and MacawsHub agree on what’s public-facing. The headline today is the outcome: independent sign-off, both apps cleared, deployment proceeded.