Security & Compliance.
We build fast — and we're just as straight about how we protect your data. Here's exactly where we stand, in plain language. No badges we haven't earned.
In Place
Encryption in Transit & at Rest
Every connection is served over TLS, and data is encrypted at rest by our infrastructure providers. No plaintext client data sits on a disk in the open.
Transparent Data Use
Where we use data from the systems we build to improve and expand our service and AI capabilities, it's set out plainly in your agreement — never hidden, and never exposing one client's confidential data to another.
Progressive Trust Model
Our proprietary approach to AI trust. Every system starts with a human approving consequential actions and earns broader autonomy only as it proves reliable over time — you stay in control throughout.
Vetted Subprocessors
Every third party that touches data is a reputable vendor carrying its own SOC 2 / ISO 27001 attestations. We inherit and pass through their security posture.
Role-Based Access & Least Privilege
Access to systems and client data is scoped to who needs it, for what, and nothing more. Credentials are rotated and secrets are never committed to code.
Published Privacy Policy & Terms
Our data practices are documented and public — see our Privacy Policy and Terms of Service, not buried in fine print.
Aligned With
PIPEDA
Canada's federal private-sector privacy law. We handle personal information under its principles — consent, purpose limitation, access, and accountability.
Alberta PIPA
Alberta's Personal Information Protection Act. As an Edmonton company serving Alberta businesses, we operate under provincial privacy rules.
CASL
Canada's Anti-Spam Legislation. The outreach and lead systems we build run on real consent, clear identification, and working unsubscribe — by default.
Working Toward
SOC 2 Type II
The recognized trust standard for software and service companies. We're building toward a Type II report — the independent audit of how we handle security over time.
ISO/IEC 42001
The international standard for responsible AI management systems. We're aligning our AI governance to it as the framework matures across the industry.
Formal DPA & Subprocessor Program
A standard Data Processing Agreement for clients, plus a formal process to notify you before any subprocessor changes.
“Working toward” means exactly that — active, honest efforts, not claimed certifications. We'll publish each report or certificate here the day it's issued, and not a day before.
How We Handle Your Data.
Set Out in Your Agreement
Every use of your data — including using it to improve and expand our service and AI capabilities — is defined in your contract, in plain language. No hidden uses, no surprises.
Foundation Models Don't Train on It
The third-party AI providers we build on (like Anthropic) don't train their models on data sent through their business APIs. Any improvement we do is ours, on our side, under your agreement.
You Own Your Systems
The systems we build run on your data, for your business. Ownership of your data stays with you, and we keep it confidential — never exposed to another client.
Who Touches Your Data.
These are our core subprocessors — third parties that may process or store data in the systems we build and run. It excludes our own back-office tools (accounting, e-signature, internal alerts), which don't handle your data on our behalf. The complete, current list for a specific engagement is available on request or under your Data Processing Agreement.
| Subprocessor | Purpose | Region | Category |
|---|---|---|---|
| Vercel | Website & application hosting, edge delivery | USA · global | Hosting |
| Cloudflare | Hosting, edge delivery & security for some builds | USA · global | Hosting |
| Neon | Application database (Postgres) | USA | Database |
| Supabase | Database & authentication for some builds | USA · EU | Database |
| Anthropic | AI assistant & generation (Claude) | USA | AI |
| OpenAI | Speech-to-text transcription for some builds | USA | AI |
| Twilio | SMS & voice messaging | USA | Messaging |
| SignalWire | SMS & voice messaging | USA | Messaging |
| Vapi | AI voice calls | USA | Messaging |
| Resend | Transactional & notification email | USA | |
| Stripe | Payment processing | USA · global | Payments |
| Cal.com | Call & meeting scheduling | USA · EU | Scheduling |
| Upstash | Rate limiting & abuse prevention | USA · global | Infrastructure |
Security questions
Need a DPA or a Security Review?
Ask us anything about how your data is handled, request a Data Processing Agreement, or send a vendor-security questionnaire. We'll answer straight.
Edmonton, Alberta · Updated July 2026