# Privacy Impact Assessment (PIA) Template: Van Permit Audit

**Version:** 1.0  **Last updated:** June 26, 2026

> This template is provided by Van Permit Audit Inc. to help a public body or
> private organization complete a Privacy Impact Assessment before adopting the
> service. It is pre-filled with how Van Permit Audit handles data, so your
> privacy office starts from facts rather than a blank page.
>
> **This is a starting point, not legal advice and not a completed assessment.**
> Your privacy office is responsible for reviewing, adapting, and signing off.
> Where a control is described as "in progress" below, it is genuinely not yet
> in place; do not record it as live in your own assessment.

---

## 0. How to use this template

1. Fill in the bracketed `[...]` fields for your organization.
2. Confirm each pre-filled statement against the current Van Permit Audit Trust
   and Security pages (vanpermitaudit.ca/trust and /security), since posture
   changes over time.
3. For anything marked "in progress" or "on request," contact
   enterprise@vanpermitaudit.ca to confirm the current state in writing before
   relying on it.
4. Route the completed assessment through your own privacy and legal review.

---

## 1. Project / initiative summary

| Field | Detail |
|---|---|
| Initiative name | [Adoption of Van Permit Audit for permit compliance pre-screening] |
| Organization / public body | [Your organization] |
| Business owner | [Name, title] |
| Privacy contact | [Name, title, email] |
| Assessment date | [YYYY-MM-DD] |
| Governing privacy law | [PIPEDA / BC FIPPA / Ontario MFIPPA: select the act that applies to you] |
| Vendor | Van Permit Audit Inc., Vancouver, BC, Canada |

**Purpose of the initiative:** Van Permit Audit analyzes uploaded building-permit
documents against published municipal bylaws and returns a compliance report.
The goal is to surface likely permit issues earlier.

---

## 2. Personal information involved

| Data element | Source | Sensitivity | Notes |
|---|---|---|---|
| Owner / applicant name | Inside uploaded permit PDF | Personal information | Present in many permit documents |
| Property / site address | Inside uploaded permit PDF | Personal information | Identifies a property and often an individual |
| Project / financial detail | Inside uploaded permit PDF | Commercially sensitive | Construction scope and value |
| Account email | Provided at signup | Personal information | For login and report delivery |
| Password (hashed) | Provided at signup | Credential | Stored only as a bcrypt hash, work factor 12 |
| Run / usage metadata | Generated by the service | Operational | Run ID, timestamp, outcome; no document content |

**Special categories:** Van Permit Audit does not request health, biometric, or
other special-category data. Do not upload documents containing such data unless
your own assessment covers it.

---

## 3. Data flow

1. User uploads a permit PDF over HTTPS (TLS 1.3) to the Van Permit Audit frontend.
2. The file passes to the backend API (TLS 1.3). The PDF is held in memory only.
3. Text is extracted from the PDF in memory; the binary file is not written to disk.
4. Drawing-sheet pages are rasterized to images in memory.
5. Extracted text and the rasterized drawing images are sent to the AI providers
   (TLS) to generate the compliance report: drawing images to Google (Gemini API)
   to read dimensions, and text plus images to Anthropic (Claude API) for the
   compliance analysis and as the vision fallback. See section 7 for both providers.
6. The report and run metadata are stored in the encrypted database.
7. The user views the report and may generate a certificate PDF on demand.

**Data flow (in order):**
`Browser, then Frontend CDN, then Backend API, then in-memory text extraction and drawing-image rasterization, then AI providers (Google Gemini and Anthropic Claude), then encrypted database, then back to the user.`

---

## 4. Collection, use, and disclosure

| Question | Answer |
|---|---|
| Why is each element collected? | To analyze permit documents and return a compliance report, and to operate the account. |
| Is collection limited to what is needed? | Yes. Only the uploaded document text, rasterized drawing-sheet images, and basic account data are used. |
| Is data used for any secondary purpose? | No. Documents are not used to train or improve any AI model. |
| Is data disclosed to third parties? | Only to the named sub-processors in section 7, solely to deliver the service. |
| Is data sold or shared for marketing? | No. |
| Is data used to train AI models? | Not by Van Permit Audit. Inputs are sent to two AI sub-processors (section 7): Anthropic's commercial API terms state it does not train on inputs or outputs submitted through the API; Google processes inputs under its paid Gemini API terms to deliver the result, and we do not use them for training. |

---

## 5. Data residency

| Question | Answer |
|---|---|
| Where is data processed and stored (self-serve)? | United States (Render, US West / Oregon) for the self-serve product. |
| Is a Canadian-residency option available? | Yes, at the Enterprise tier on request. Confirm in writing before relying on it. |
| Cross-border transfer disclosed to users? | Yes, on the Trust and Privacy pages. |
| Residency requirement for your initiative | [State your requirement and whether the Enterprise Canadian option is needed] |

> If your initiative requires records to remain on Canadian soil (common for BC
> FIPPA and Ontario MFIPPA public bodies), do not adopt the self-serve product;
> arrange the Enterprise Canadian deployment first.

---

## 6. Safeguards

| Safeguard | Status |
|---|---|
| Encryption in transit (TLS 1.3, HSTS) | Live |
| Encryption at rest (AES-256, block storage) | Live |
| Uploaded PDF never written to disk | Live |
| Password hashing (bcrypt, work factor 12) | Live |
| Per-run audit logging, no document content | Live |
| Rate limiting and input sanitization | Live |
| MIME-type validation on upload (PDF only) | Live |
| Application-layer envelope encryption | In progress (target Q1 2027) |
| Multi-factor authentication | In progress (target Q3 2026) |
| SSO / SAML | In progress (target Q4 2026) |
| SOC 2 Type I | In progress (target Q4 2026), not yet certified |
| Penetration test | Scheduled (Q3 2026) |

---

## 7. Sub-processors

| Sub-processor | Role | Region |
|---|---|---|
| Vercel | Frontend hosting / CDN | Global edge |
| Render | Backend API and database hosting | US West (Oregon); Canadian region on request at Enterprise tier |
| Anthropic (Claude API) | Compliance analysis of document text and drawing images; vision fallback | US-based; commercial API terms state no training on submitted inputs or outputs |
| Google (Gemini API) | Reads dimensions off rasterized drawing-sheet images | US-based; inputs processed under Google's paid Gemini API terms to deliver the result |
| Stripe | Payment processing (PCI DSS Level 1) | Card data never touches Van Permit Audit servers |
| Cloudflare | DNS, DDoS mitigation, edge security | Global edge |

> Confirm the current sub-processor list with Van Permit Audit before sign-off,
> as it can change.

---

## 8. Retention and disposal

| Data element | Retention |
|---|---|
| Uploaded PDF (binary) | Not retained; discarded after the run |
| Extracted project text | Up to 90 days, then purged |
| Analysis results | Life of the account |
| Account data | Until deletion plus a 30-day grace period |
| Audit and access logs | 12 months |
| Payment records | Retained as required by law (CRA: 7 years) |

**Deletion:** email support@vanpermitaudit.ca. Personal data is deleted within 30
days of a verified request and confirmed in writing.

---

## 9. Breach response

- Van Permit Audit commits to notify the relevant privacy commissioner and
  affected individuals within 72 hours of confirming a reportable breach.
- Notification includes the facts of the breach, the approximate number of
  individuals affected, likely consequences, mitigation taken, and a contact point.
- [Describe how your organization would be informed and how you would notify your
  own stakeholders.]

---

## 10. Privacy risk register

| # | Risk | Likelihood | Impact | Mitigation | Residual risk | Owner |
|---|---|---|---|---|---|---|
| 1 | Personal info in permit PDFs processed outside Canada (self-serve) | [ ] | [ ] | Use Enterprise Canadian deployment; or accept cross-border transfer with disclosure | [ ] | [ ] |
| 2 | Unauthorized account access | [ ] | [ ] | bcrypt hashing, rate limiting; MFA in progress | [ ] | [ ] |
| 3 | Over-retention of project text | [ ] | [ ] | 90-day purge; deletion on request | [ ] | [ ] |
| 4 | Misuse of documents for model training | [ ] | [ ] | Contractual no-training terms with provider | [ ] | [ ] |
| 5 | [Add your own] | [ ] | [ ] | [ ] | [ ] | [ ] |

---

## 11. Sign-off

| Role | Name | Decision | Date |
|---|---|---|---|
| Privacy officer | [ ] | [Approve / approve with conditions / reject] | [ ] |
| Business owner | [ ] | [ ] | [ ] |
| Security lead | [ ] | [ ] | [ ] |

---

*Questions about anything in this template: enterprise@vanpermitaudit.ca. This
template reflects Van Permit Audit's posture as of the version date above and
does not replace your own legal and privacy review.*
