Privacy Impact Assessment (PIA) — AIOrouter

Template: Office of the Privacy Commissioner of Canada (OPC) PIA Template Generated By: P1-W3-005 (AIRO) Date: 2026-05-03 Version: 1.1.0 Status: Draft for Founder Review — Auth Enclave Residency Repair Review Schedule: Annual review, or upon material changes to data handling

1. Project Overview

1.1 Project Description

AIOrouter is a Canadian intermediary API proxy service that routes AI API requests from developers to Chinese and Western AI model providers. It provides:

Multi-provider AI API access via a single OpenAI-compatible endpoint
PIPEDA compliance by default — PII scrubbing, zero prompt retention, Canada data residency
Dual-track billing — prepaid credit packs + monthly subscriptions (all in CAD)
Provider-agnostic routing with automatic failover and cost optimization

1.2 Data Flow Summary

Developer → HTTPS (TLS 1.3) → Montreal GCP (Cloud Run)
    → API Gateway (auth, rate limit)
    → Security Layer (AI Firewall + PII Scrubber)
    → Model Router (provider selection)
    → Chinese/Western AI API (outbound TLS 1.3)
    → Response back to Developer

Key data sovereignty (V2.20.0 precision wording — see P2-W7a-PIA-PATCH): All default infrastructure (Cloud Run, Cloud SQL, Redis, GCS, KMS, audit logs, and the AIOrouter Auth Enclave account-auth stores) resides in northamerica-northeast1 (Montreal, Canada). Your raw personal data — including names, emails, phone numbers, addresses, technical secrets, and any PII patterns we detect — never leaves Canadian jurisdiction.

When your request requires an outbound call to an AI provider, our Bidirectional Pseudonymization Engine (src/security/bidirectional-pii.ts) replaces every detected piece of personal data with an irreversible pseudonym ([PERSON_NAME_1], etc.) and our Content Privacy Gateway (src/security/content-privacy-gateway.ts) replaces every detected technical secret with an authenticated, deterministically-encrypted token. The provider receives only pseudonyms and ciphertext; the mapping that could re-identify them is stored exclusively in Canadian-resident KMS-locked storage (pii-surrogate-key in northamerica-northeast1) and is never transmitted outside Canada.

Under GDPR Article 4(5) and EDPB Recommendations 01/2020 (post-Schrems II), pseudonymized data is still considered personal data. AIOrouter does not claim that the cross-border transfer is exempt from privacy law. We claim — and demonstrate via the P2-W7a-PII-VERIFY wire-verification suite — that the data crossing the border is irreversibly pseudonymized at the source, and that no party outside Canadian jurisdiction (including the AI providers, their hosting providers, or any intermediate network) ever holds the information required to re-identify it.

Optional OAuth or enterprise SSO may involve a third-party identity provider only with customer opt-in and disclosure.

2. Personal Information Inventory

2.1 Data Collected

Data Element	Purpose	Legal Basis	Retention
Email address	Account identification, billing communication, breach notification	Consent (signup) + Contractual necessity	Until account deletion + 30 days grace
API key (SHA-256 lookup hash only)	Authentication for API access	Contractual necessity	Until key revocation
Local account identifier	Dashboard authentication through the Canada-resident Auth Enclave	Consent + Contractual necessity	Until account deletion
Password hash (if password fallback is enabled — never plaintext)	Local account authentication fallback	Contractual necessity	Until account deletion or password reset
Passkey/WebAuthn credential public keys	Passkey-first dashboard authentication	Consent + Contractual necessity	Until credential removal or account deletion
TOTP secret (encrypted) and recovery-code hashes	Multi-factor authentication and account recovery	Consent + Contractual necessity	Until replacement, use, or account deletion
Usage records (model, tokens, timestamp, cost)	Billing, audit, user dashboard	Contractual necessity + CRA compliance	7 years (CRA requirement)
Billing transactions (Stripe payment records)	Payment processing, tax compliance	Contractual necessity + CRA compliance	7 years
IP address (API key usage)	Security (geo-anomaly detection), audit	Legitimate interest (security)	90 days (with audit logs)
Prompt content (in-memory only)	API routing — forwarded to provider	Consent	ZERO — never stored, never logged
PII scan results (boolean + type names, no values)	Compliance audit	Legal obligation (PIPEDA)	90 days (in GCS audit logs)
Consent records (scope, version, timestamp)	PIPEDA consent compliance	Legal obligation (PIPEDA)	Until account deletion
DSAR requests (request type, status, SLA)	PIPEDA Principle 9 compliance	Legal obligation (PIPEDA)	1 year after completion

2.2 Data NOT Collected

❌ Plaintext passwords (local password fallback, if enabled, stores only a one-way hash in Canadian infrastructure)
❌ Government ID documents
❌ Biometric data
❌ Payment card numbers (processed by Stripe — AIOrouter never sees full card numbers)
❌ Social media profiles
❌ Location data beyond IP-derived geo (for security)

3. Data Flow Analysis

3.1 16 Security Control Points

Referenced from docs/security-architecture.md §3. All data flows pass through these control points:

CP	Control	PIPEDA Principle	Status
CP-1	Cloud Armor WAF	7. Safeguards	✅ Implemented (P1-W1-006)
CP-2	TLS termination (1.3)	7. Safeguards	✅ Implemented
CP-3	API key authentication	7. Safeguards	✅ Implemented (P1-W2-001)
CP-4	Rate limiting	7. Safeguards	✅ Implemented (P1-W2-001)
CP-5	AI Firewall (prompt injection)	7. Safeguards	✅ Implemented (P1-W3-003)
CP-6	PII Scrubber (GCP DLP)	7. Safeguards	✅ Implemented (P1-W3-003)
CP-7	Semantic Cache	7. Safeguards	⏳ P1-W4-001
CP-8	Model Router	N/A (operational)	⏳ P1-W4-004
CP-9	Provider adapter (outbound TLS)	7. Safeguards	✅ Implemented
CP-10	Response sanitization	7. Safeguards	✅ Implemented (P1-W3-003)
CP-11	Budget Circuit Breaker	N/A (financial)	⏳ P1-W4-002
CP-12	Audit trail logging	5. Retention limits	✅ Implemented (P1-W3-003)
CP-13	PII re-scan on response	7. Safeguards	✅ Implemented (P1-W3-003)
CP-14	Log sanitization	7. Safeguards	✅ Implemented (P1-W2-001)
CP-15	Webhook HMAC verification	7. Safeguards	⏳ P2-W5-003
CP-16	GCS immutable audit storage	7. Safeguards	✅ Implemented (P1-W3-003)

3.2 Data Residency

All data at rest resides in GCP northamerica-northeast1 (Montreal, Quebec, Canada):

PostgreSQL: Cloud SQL — Montreal
Redis: Memorystore — Montreal (TLS + AUTH)
GCS Audit Logs (gcp-aiorouter-audit-logs-mtl): Montreal (Object Versioning + UBLA + public-access-prevention + 400-day lifecycle retention; CMEK + Bucket Lock available on Enterprise tier)
Cloud Logging audit bucket (audit-mtl): Montreal (northamerica-northeast1, 400-day retention)
Secret Manager: GCP global service with Canada-region access policies

4. Risk Assessment — PIPEDA 10 Principles

#	Principle	Risk	Likelihood	Impact	Mitigation	Residual Risk
1	Accountability	Privacy officer not clearly designated	Low	Medium	Founder designated as Privacy Officer in privacy policy; privacy@aiorouter.ca published	Low
2	Identifying Purposes	Purpose creep — data used beyond stated purposes	Low	High	Data collection limited to schema-defined fields; no analytics/tracking infrastructure	Low
3	Consent	User not properly consented before data collection	Low	High	Consent checkbox at signup; consent records stored in consent_records table; re-consent on policy changes	Low
4	Limiting Collection	Over-collection of PII	Low	Medium	Schema audit shows no unnecessary PII columns; PII Scrubber prevents prompt PII persistence	Low
5	Use/Disclosure/Retention	Prompt content retained beyond processing	Medium	High	Technical zero-retention enforcement; prompt only in memory; no prompt column in DB; no prompt in logs	Very Low
6	Accuracy	Billing errors from incorrect usage records	Low	Medium	Usage records use AIOrouter's unified token counter; discrepancy alerts for provider-vs-AIOrouter token counts >10%	Low
7	Safeguards	Data breach via API vulnerability	Medium	High	Multi-layer security: WAF → auth → rate limit → firewall → PII scrubber → audit; breach notification pipeline active	Low
8	Openness	Privacy policy unclear or inaccessible	Low	Medium	Bilingual (EN/FR) privacy policy with data flow diagram; privacy@aiorouter.ca contact published	Low
9	Individual Access	DSAR not fulfilled within 30-day SLA	Medium	Medium	Automated DSAR handler with SLA tracking + alerts; self-service data export; account deletion with 30-day grace	Low
10	Challenging Compliance	No clear complaint mechanism	Low	Low	privacy@aiorouter.ca published; OPC complaint right disclosed in privacy policy	Very Low

5. Law 25 (Quebec) Additional Controls

Law 25 Requirement	AIOrouter Implementation	Status
§9.1 Default Privacy	All optional data collection OFF by default. Marketing and third-party sharing default to `false`. Only `data_processing` is mandatory.	✅ Implemented (P1-W3-005)
§12.1 Automated Decision Transparency	`X-Automated-Decision` response header explains routing decisions in plain language. Full explanation available via GET /privacy/consent.	✅ Implemented (P1-W3-005)
Right to Data Portability	DSAR export includes all user data in machine-readable JSON format. Covered by GET /privacy/my-data.	✅ Implemented (P1-W3-005)
Right to De-indexation	Account deletion anonymizes user record and removes from active systems. Covered by DELETE /privacy/my-data.	✅ Implemented (P1-W3-005)
PIA Mandatory	This document serves as the mandatory PIA. Annual review scheduled.	✅ This document
Breach Notification (72h)	Automated breach detection + OPC report generation + Founder notification pipeline.	✅ Implemented (P1-W3-005)
Privacy Officer	Founder (Taya Chu) designated as Privacy Officer. Contact: privacy@aiorouter.ca.	✅
Biometric Data	AIOrouter does not collect or process biometric data.	✅ N/A

6. Compliance Evidence

Evidence	Location	Description
Privacy Policy	`docs/legal/privacy-policy.md` (P2-W7-008)	Bilingual privacy policy with data flow explanation
Terms of Service	`docs/legal/terms-of-service.md` (P2-W7-008)	Acceptable use, liability, governing law
Security Architecture	`docs/security-architecture.md`	Threat model, PIPEDA mapping, 16 control points
Breach Notification Config	`src/config/security-breach-notification.json`	Detection thresholds, OPC report format, retention
PII Scrubber	`src/security/pii-scrubber.ts`	GCP DLP + regex fallback for 7 Canadian infoTypes
AI Firewall	`src/security/ai-firewall.ts`	22 rules across 5 categories
Audit Trail	`src/security/audit-trail.ts`	GCS immutable JSON Lines, PII-safe fields
Consent Manager	`src/security/consent-manager.ts`	Versioned consent, Law 25 defaults, re-consent
DSAR Handler	`src/security/dsar-handler.ts`	Self-service export, deletion, SLA tracking
Breach Notification	`src/security/breach-notification.ts`	Detection, OPC reports, multi-channel notification
DPA Template	`docs/legal/dpa-template.md`	Enterprise DPA with PIPEDA + Law 25 terms

7. Residual Risks

Risk	Accepted By	Mitigation Plan
Chinese API providers may log prompts server-side (outside Canadian jurisdiction)	Founder	Disclosed in Privacy Policy data flow section. Users are informed that prompts are forwarded to Chinese APIs where local privacy laws apply. Provider receives only irreversible pseudonyms + ciphertext (V2.11.0+); no raw PII.
False negatives in PII detection (PII not caught by regex or DLP)	Founder	GCP DLP with LIKELY threshold provides industry-standard detection. Additional manual audit recommended for regulated-industry users (Compliance-as-a-Service add-on, Phase 3).
Data breach at Chinese provider (AIOrouter cannot control provider security)	Founder	Provider security evaluated in ToS review (P0-W0-002). Formal partnership with breach notification commitments pursued (P1-W3-007).
GCP infrastructure breach at Montreal data center	Founder	GCP SOC 2 + ISO 27001 certified. CMEK encryption at rest. Breach notification pipeline covers this scenario.
LLM paraphrase-based linkage attack (provider's training prior reproduces pinyin / phonetic variants of pseudonymized names — EDPB 01/2020 §85)	Founder	P2-W7-016d Inference-Leak Rescan (`src/security/inference-leak-scanner.ts`) audits every response for paraphrase/translit/digit-sequence leakage of original PII; opt-in `replace` mode for legal-tier customers. Fundamental limit of LLM-mediated paraphrase documented; sophisticated semantic paraphrase ("Mr. W.") accepted as residual.
Streaming response boundary leak (a placeholder split across SSE chunks could surface partial template tags to clients)	Founder	P2-W7-016c Streaming Depseudonymizer (`src/security/streaming-depseudonymizer.ts`) buffers partial placeholders with bounded ring buffer; fail-open audit on overflow.
Provider error response echoes internal markers (placeholders / ciphertext / surrogate tokens leaked back to end user)	Founder	P2-W7-016f Provider Error Response Sanitizer (`src/security/error-response-sanitizer.ts`) redacts internal markers from HTTP error bodies before they reach the client.
Tool-integration code bypasses gateway (a future contributor adds a tool whose output reaches LLM context without sanitisation)	Founder	P2-W7-016e Taint-Typed Tool Boundary (`src/security/taint.ts`) provides compile-time `Tainted<T>` vs `LlmSafe<T>` brands; escape hatch `asLlmSafe()` requires justification and emits audit event. Full call-site refactor scheduled for P3-M3-007.
Memory-resident token map exposure (a malicious actor with Cloud Run process access could read the live token map)	Founder	Accepted residual. Mitigation roadmap: P4-M12-CC-001 Sovereign Confidential Computing Tier (AMD SEV-SNP / GCP Confidential Space — token map never leaves enclave).
Metadata side-channel (provider may infer client identity from token counts, request timing, or TLS fingerprints even with pseudonymized payload)	Founder	Accepted residual. Mitigation roadmap: P2-W7a-HARDEN-001 Metadata Side-Channel Hardening.
Multimodal PII (image/audio inputs not yet covered by pseudonymization engine)	Founder	Currently AIOrouter does not accept image/audio inputs. Mitigation when scope expands: P3-M3-008-MM Multimodal PII Redaction.
Audit-log region drift (a future Terraform change or manual `gcloud` accidentally provisions audit storage outside `northamerica-northeast1` / `-northeast2`)	Founder	P2-W7a-GAP-009 Audit-Log Region Pin (V2.20.0 — 2026-05-12, BETA-ready): (1) Terraform `validation` block on `var.gcp_region` rejects non-Canadian regions at `plan`-time. (2) `tooling/check-canadian-residency.mjs` wired into `npm run ops:validate` step 5 fails CI on any non-Canadian region/location/KMS-path (12 tests, all passing). (3) Live in `gcp-aiorouter` project as of 2026-05-12: regional Cloud Logging bucket `audit-mtl` (`northamerica-northeast1`, 400-day retention) + GCS audit-archive bucket `gs://gcp-aiorouter-audit-logs-mtl/` (UBLA, public-access-prevention, versioning, 400-day retention) + project-level sink `audit-mtl-sink` routing all operational logs to Montreal + `_Default` sink disabled + `_Default` bucket retention shrunk to 1 day. (4) Only Google-internal `_Required` admin-activity audit logs remain in `global` — this is a GCP platform constraint applicable to every GCP customer, not an AIOrouter-specific gap. (5) Project-level `gcp.resourceLocations` Org Policy is the residual gap — blocked by a one-time prerequisite: this project must be migrated under a Google Cloud Organization (Cloud Identity / Workspace on `aiorouter.ca`). Documented in `docs/security-architecture.md` §9.7.5.

8. PIA Review Schedule

Trigger	Action
Annual review	Full PIA review by Privacy Officer before May 2027
New data collection	Update §2 Personal Information Inventory within 30 days
New third-party data processor	Add to §11 Third-Party Integration Security in security-architecture.md
Breach event (P0)	Post-incident PIA review within 14 days
Privacy policy material change	PIA amendment within 30 days

Next Review: May 2027 — or upon first P0 breach event, whichever comes first. Privacy Officer: Taya Chu — privacy@aiorouter.ca