Trust & Data Residency
What happens to your permit documents, and where
Last updated: June 26, 2026
Permit drawings and applications hold real personal and project information: owner names, site addresses, and the financial shape of a build. Cities and firms that hand us those files deserve a straight answer about how they are handled. This page is written for a procurement review. It states what is in place today, what is still being built, and which questions to put to us before you sign. If a control is not live yet, it says so. We do not claim certifications we do not hold.
At a glance
TLS 1.3, HSTS enforced
AES-256 block storage
Contractually prohibited
Per-run logging, no document content
Enterprise tier; self-serve runs in US West today
Legal review underway
Target Q4 2026, not yet certified
Download below
Where your data lives
Canadian data residency
We are honest about this because it matters for public-sector buyers. The self-serve product runs on infrastructure hosted in the United States today. We do not pretend otherwise.
These are our complete sub-processors today: Vercel (frontend hosting), Render (backend and database hosting), Anthropic and Google (AI processing), Stripe (payments), and Cloudflare (DNS and edge). We do not use any other third party to process your document content. If we add a sub-processor, this list is updated before the change takes effect.
For municipalities and BC public bodies: if your policy or your FIPPA / PIPEDA obligations require records to stay on Canadian soil, a Canadian-region deployment is available at the Enterprise tier. Talk to us at enterprise@vanpermitaudit.ca before subscribing, so we can confirm the arrangement in writing first.
How it is protected
Encryption in transit and at rest
Your documents stay yours
We never train AI on your documents
Your permit text and drawing images are sent to our AI providers only to produce your compliance report, and for no other purpose. We do not use your documents to train, fine-tune, or improve any model. Each provider processes your inputs under its own commercial API terms, described below.
Accountability
Audit trail
Every analysis run is logged so we can answer who did what and when, without keeping a second copy of your document content.
Privacy law
PIPEDA, FIPPA, and MFIPPA alignment
Different buyers fall under different privacy laws. Private firms in Canada are covered by PIPEDA. BC public bodies fall under FIPPA. Ontario municipalities fall under MFIPPA. We are aligning our practices to all three, and our review is honest about being in progress.
The detailed retention schedule and your access rights are in the Privacy Policy. Note: MFIPPA applies to Ontario municipalities; BC local governments are governed by FIPPA. We point each buyer to the act that actually applies to them.
For your privacy office
Privacy Impact Assessment template
Many public bodies require a Privacy Impact Assessment (PIA) before adopting a new tool. To save your team the cold start, we publish a pre-filled PIA template that maps Van Permit Audit's data flows to the standard PIA sections. Your privacy office reviews and adapts it; we are not your legal advisor, and the template is a starting point, not a sign-off.
PIA template (Markdown)
Data flow, collection, use, disclosure, retention, and safeguards, pre-mapped to VPA.
Independent assurance
Our path to SOC 2
We are not SOC 2 certified yet, and we will not say we are. We are a small team building toward it on a real timeline. Here is the trajectory, stated as a plan and not a promise.
Engineering and infrastructure detail lives on the Security page, including hosting, access control, and responsible disclosure.
Vendor questionnaire
CAIQ-lite security summary
A short answer to the questions most vendor-risk questionnaires (CAIQ-lite, SIG-lite) ask, so your security team can pre-screen us before sending the full document. Every answer below reflects what is true today.
Reaching our security team
Security contact and responsible disclosure
For security questionnaires, a Data Processing Agreement, or to report a vulnerability, contact our security team directly. We acknowledge security reports within two business days and do not pursue legal action against good-faith research that stays within scope.
Before you sign
Procurement and vendor review
If your process needs a vendor-risk assessment, an InfoSec questionnaire, a Data Processing Agreement, a completed PIA, or a Canadian-residency arrangement, reach out to enterprise@vanpermitaudit.ca before subscribing. We would rather answer the hard questions up front. Standard MSA and DPA templates are on the Legal & Agreements page so most reviews can run against those without a long back-and-forth.