Trust & Data Residency

What happens to your permit documents, and where

Last updated: June 26, 2026

Permit drawings and applications hold real personal and project information: owner names, site addresses, and the financial shape of a build. Cities and firms that hand us those files deserve a straight answer about how they are handled. This page is written for a procurement review. It states what is in place today, what is still being built, and which questions to put to us before you sign. If a control is not live yet, it says so. We do not claim certifications we do not hold.


At a glance

Encryption in transitLive

TLS 1.3, HSTS enforced

Encryption at restLive

AES-256 block storage

Never trained on your documentsLive

Contractually prohibited

Audit trailLive

Per-run logging, no document content

Canadian data residencyOn request

Enterprise tier; self-serve runs in US West today

PIPEDA / FIPPA reviewIn progress

Legal review underway

SOC 2 Type IIn progress

Target Q4 2026, not yet certified

Privacy Impact AssessmentTemplate ready

Download below


Where your data lives

Canadian data residency

We are honest about this because it matters for public-sector buyers. The self-serve product runs on infrastructure hosted in the United States today. We do not pretend otherwise.

Frontend / CDNVercel global edge network. Static assets only; uploaded files are not stored here.
Backend APIRender, US West (Oregon) for the self-serve product.
DatabaseSQLite on Render persistent disk, encrypted at the block-storage layer.
AI processingTwo US-based AI providers: Google (Gemini API) for reading drawing sheets, and Anthropic (Claude API) for the compliance analysis and as the vision fallback. We send extracted document text and rasterized drawing-sheet images.
PaymentsStripe (PCI DSS Level 1). Card data is entered on Stripe-hosted checkout and never touches our servers; we store only a payment reference.
DNS and edgeCloudflare handles DNS and edge security. No document content passes through it.
Canadian-soil deploymentAvailable at Enterprise tier on request

These are our complete sub-processors today: Vercel (frontend hosting), Render (backend and database hosting), Anthropic and Google (AI processing), Stripe (payments), and Cloudflare (DNS and edge). We do not use any other third party to process your document content. If we add a sub-processor, this list is updated before the change takes effect.

For municipalities and BC public bodies: if your policy or your FIPPA / PIPEDA obligations require records to stay on Canadian soil, a Canadian-region deployment is available at the Enterprise tier. Talk to us at enterprise@vanpermitaudit.ca before subscribing, so we can confirm the arrangement in writing first.

How it is protected

Encryption in transit and at rest

In transitTLS 1.3 on every connection: browser, API, and third-party services. HSTS enforced.
At rest (database)AES-256 encryption at the Render block-storage layer.
At rest (uploaded PDF)Never written to disk. Extracted to plaintext in memory, then discarded after the run.
Application-layer envelope encryptionIn progress, target Q1 2027
BackupsDaily encrypted backup of the database. Restore procedure tested quarterly.
Passwordsbcrypt with a work factor of 12. Plaintext passwords are never stored or logged.

Your documents stay yours

We never train AI on your documents

Your permit text and drawing images are sent to our AI providers only to produce your compliance report, and for no other purpose. We do not use your documents to train, fine-tune, or improve any model. Each provider processes your inputs under its own commercial API terms, described below.

What we sendExtracted document text plus rasterized images of the drawing sheets. No account identity beyond the run.
Anthropic (Claude API)Used for the compliance analysis and as the vision fallback. Anthropic's commercial API terms state it does not train models on inputs or outputs submitted through the API.
Google (Gemini API)Used to read dimensions off drawing sheets. Inputs are processed under Google's paid Gemini API terms to generate your result; we do not use them for training.
Our own useWe do not build training datasets from your documents. Full stop.

Accountability

Audit trail

Every analysis run is logged so we can answer who did what and when, without keeping a second copy of your document content.

Per-run logEach analysis records a run ID, timestamp, and outcome metadata in our database.
No document contentAudit logs hold request metadata only. We do not copy your drawings into the log.
Access eventsAuthentication and key account actions are recorded for security monitoring.
RetentionAudit and access logs are kept for 12 months, then purged.
On requestEnterprise customers can request an export of the audit trail for records under their account.

Privacy law

PIPEDA, FIPPA, and MFIPPA alignment

Different buyers fall under different privacy laws. Private firms in Canada are covered by PIPEDA. BC public bodies fall under FIPPA. Ontario municipalities fall under MFIPPA. We are aligning our practices to all three, and our review is honest about being in progress.

PIPEDA (federal, private sector)Review in progress
BC FIPPA (provincial public bodies)Residency option for in-scope buyers
Ontario MFIPPA (municipalities)Alignment in progress
Breach notification commitmentNotify the relevant privacy commissioner and affected individuals within 72 hours of confirming a reportable breach.
Data subject access and deletionEmail support@vanpermitaudit.ca. Personal data is deleted within 30 days, confirmed in writing.

The detailed retention schedule and your access rights are in the Privacy Policy. Note: MFIPPA applies to Ontario municipalities; BC local governments are governed by FIPPA. We point each buyer to the act that actually applies to them.

For your privacy office

Privacy Impact Assessment template

Many public bodies require a Privacy Impact Assessment (PIA) before adopting a new tool. To save your team the cold start, we publish a pre-filled PIA template that maps Van Permit Audit's data flows to the standard PIA sections. Your privacy office reviews and adapts it; we are not your legal advisor, and the template is a starting point, not a sign-off.

PIA template (Markdown)

Data flow, collection, use, disclosure, retention, and safeguards, pre-mapped to VPA.

Download template

Independent assurance

Our path to SOC 2

We are not SOC 2 certified yet, and we will not say we are. We are a small team building toward it on a real timeline. Here is the trajectory, stated as a plan and not a promise.

Security controls documentedIn progress
Penetration testingScheduled Q3 2026
SOC 2 Type ITarget Q4 2026
SOC 2 Type IITarget Q2 2027
ISO 27001Not currently planned

Engineering and infrastructure detail lives on the Security page, including hosting, access control, and responsible disclosure.

Vendor questionnaire

CAIQ-lite security summary

A short answer to the questions most vendor-risk questionnaires (CAIQ-lite, SIG-lite) ask, so your security team can pre-screen us before sending the full document. Every answer below reflects what is true today.

Encryption in transitYes. TLS 1.3 on every connection, HSTS enforced.
Encryption at restYes. AES-256 at the database block-storage layer.
Data used to train AINo. Documents are never used to train, fine-tune, or improve any model.
Sub-processors disclosedYes. Vercel, Render, Anthropic, Google, Stripe, Cloudflare (listed above).
MFA availableIn progress, target Q3 2026
SSO / SAMLIn progress, target Q4 2026
Role-based access controlYes. Admin actions are gated server-side; users only see their own runs and their organization's data.
Audit loggingYes. Per-run and access-event logging, retained 12 months, with no document content.
Backups and restoreYes. Daily encrypted backups, restore tested quarterly.
Breach notificationYes. Within 72 hours of confirming a reportable breach.
Independent audit (SOC 2)Not yet certified, Type I target Q4 2026
Penetration testScheduled Q3 2026
Data residencyUS West today; Canadian-region deployment available at Enterprise tier on request.
Sub-processor change noticeYes. The sub-processor list is updated before any new sub-processor begins processing data.

Reaching our security team

Security contact and responsible disclosure

For security questionnaires, a Data Processing Agreement, or to report a vulnerability, contact our security team directly. We acknowledge security reports within two business days and do not pursue legal action against good-faith research that stays within scope.

Security and vulnerability reportssecurity@vanpermitaudit.ca
Procurement, DPA, and questionnairesenterprise@vanpermitaudit.ca
Acknowledgement targetWithin two business days of a report.

Before you sign

Procurement and vendor review

If your process needs a vendor-risk assessment, an InfoSec questionnaire, a Data Processing Agreement, a completed PIA, or a Canadian-residency arrangement, reach out to enterprise@vanpermitaudit.ca before subscribing. We would rather answer the hard questions up front. Standard MSA and DPA templates are on the Legal & Agreements page so most reviews can run against those without a long back-and-forth.


Related