🇨🇦 Canada-Resident • PIPEDA Compliant

Your Data Never Leaves Canada

All infrastructure — authentication, PII scanning, encryption keys, audit logs — operates exclusively in Montreal. Personal data is pseudonymized before crossing the border.

Privacy Policy Quickstart

🔄 Bidirectional PII Pseudonymization

Sensitive personal information (SIN, email, phone, address) is automatically detected and replaced with semantic placeholders before your data leaves Canada. AI providers never see your real PII — only [PERSON_1], [EMAIL_1]. Responses are automatically restored with original values.

👤 You With PII TLS 1.3 🇨🇦 Montreal GCP northamerica-northeast1 🔍 GCP DLP Scan 7 Canadian infoTypes 🔐 AES-256-SIV Encryption Deterministic Cryptography 🏷️ [PERSON_1] Semantic Placeholder 🗝️ KMS Montreal Key Never Leaves 📋 Audit Log (GCS Montreal, 400d retention) PII-Free 🤖 AI Provider Scrubbed Prompt Response PII Restored ✨ 🛡️ Key Guarantee • PII scrubbed BEFORE leaving Canada • KMS keys never leave Montreal • Semantic [PERSON_1] → LLM context • Original PII restored in response

🏗️ Data Residency Architecture

AIOrouter maintains a 100% Canada-resident architecture for all personal data. Here's how our approach compares to common industry architectures:

Dimension🇨🇦 AIOrouterCommon PracticeWhy It Matters
User Account Data Cloud SQL — Montreal only May be distributed globallyAccount data stays in Canadian jurisdiction
Authentication Auth Enclave — Montreal only May route through US identity providerNo third-party identity disclosure
PII Scanning GCP DLP — Montreal Region May use DLP outside CanadaPII scanned before leaving Canada
Encryption Keys KMS — Montreal only May be hosted on non-Canadian KMSKeys never leave Canadian jurisdiction
Audit Logs GCS Montreal (Versioning + 400d retention; CMEK/Bucket Lock on Enterprise) May replicate internationallyAudit trail protected by PIPEDA
Outbound AI Prompts PII Scrubbed BEFORE departure Scrubbing may occur in US data centerZero PII leaves Canada — scrubbing is local

* Industry descriptions are based on common architectural patterns, not any specific competitor.

✅ PIPEDA Compliance — 10 Principles

PrincipleAIOrouter Implementation
1. Accountability Founder designated Privacy Officer — privacy@aiorouter.ca
2. Identifying Purposes Limited collection — API, billing, security, compliance
3. Consent Versioned consent with withdrawal — Law 25 defaults OFF
4. Limiting Collection Only essential data — Zero prompt retention
5. Use/Disclosure/Retention Zero prompt retention — PII scrubbed before leaving Canada
6. Accuracy Self-service export; unified token counter
7. Safeguards TLS 1.3 + WAF + AI Firewall + PII Pseudonymization + CMEK + MFA
8. Openness Bilingual policy + PII data flow in PIA + X-Automated-Decision header
9. Individual Access Self-service DSAR — Export/Deletion — 30-day SLA
10. Challenging Compliance privacy@aiorouter.ca + OPC complaint right

📋 ISED Voluntary Code of Conduct Alignment

AIOrouter aligns with all six principles of ISED's Voluntary Code of Conduct on Generative AI:

ISED PrincipleAIOrouter Control
1. Safety — Risk assessment & mitigation AI Firewall (21 rules) + Budget Circuit Breaker + WAF OWASP
2. Fairness & Equity — Bias monitoring Uniform routing — no profiling-based pricing
3. Transparency — AI use disclosure PII data flow + X-Automated-Decision header + Disclosed sub-processors
4. Human Oversight — Human supervision Founder approval gates + AINA escalation + Breach notification
5. Accountability — Documentation & audit trail Full PIA + Quarterly compliance reports + Immutable GCS logs
6. Validity & Reliability — System reliability Health check (15min) + Fallback chain + Public status page

📧 Questions?

Contact our Privacy Officer: privacy@aiorouter.ca

Related Documents: