How we handle your data.

Customer documents (passports, application forms, supporting evidence) are processed in-region in the cloud you specify (Canada, US, or EU). We do not use customer data to train any model — not ours, not a third party’s. Documents are retained only for the active workflow and the duration explicitly authorized by the customer.

All data in transit uses TLS 1.3+. Data at rest is encrypted with AES-256. Database keys are managed via the cloud provider’s key management service (KMS).

Multi-tenant isolation is enforced at the database level via PostgreSQL Row-Level Security (RLS) policies — every query is scoped to the authenticated organization. RBAC roles (org_admin, org_agent, org_applicant, b2c_user) gate every API route. The platform was built with these primitives from day one, not retrofitted.

Every status change on every record (applications, profiles, documents, templates) is logged to an append-only status_history table. Organizations can never be deleted — only suspended — to preserve audit lineage for regulatory inquiries.

We use a small, deliberate set of sub-processors: Supabase (Postgres + auth + storage), Vercel (hosting), Azure Document Intelligence & AWS Textract (OCR), DeepSeek & Gemini (LLM inference). All sub-processors are reviewed for SOC 2 / ISO 27001 compliance before integration. Full list on request.

SOC 2 Type II — audit in progress, targeting completion in Q3 2026. PIPEDA-aligned for Canadian PII handling. HIPAA roadmap available for the healthcare vertical on request. GDPR-aligned data subject rights (access, deletion, portability) supported across all customer accounts.

Documented incident response playbook with RTO < 4 hours. Customer notification within 72 hours of confirmed breach, per GDPR Article 33 standards. Severity classification, escalation chain, and post-mortem template all documented internally.