Security
PermitPilot handles sensitive project documents, applicant information, and regulatory correspondence. Here is how we protect your data.
Tenant isolation
Every organization's data is stored in isolated rows with enforced row-level security policies. No cross-tenant data leakage is architecturally possible at the database layer.
Encryption at rest and in transit
All data is encrypted at rest using AES-256. All connections use TLS 1.2+ in transit. Document storage uses server-side encryption with per-tenant key isolation.
Audit logs
Every action on a project, document, submission, or user account is logged with timestamp, actor, and IP address. Audit logs are append-only and immutable.
Human approval for critical actions
Declarations, final submission packs, and applicant identity decisions require explicit human confirmation. PermitPilot never auto-submits to City portals on your behalf.
No silent AI decisions
AI-assisted outputs (document classification, requirement extraction, content summarization) are stored with prompt, model, and schema validation results. Low-confidence AI items are flagged for human review before use.
Data portability and deletion
You can export your project data at any time. On account closure, all project data and documents are deleted within 30 days. Reach out to support for an expedited deletion request.
Compliance posture
SOC 2 Type II (in progress)
We are working toward SOC 2 Type II certification. Our controls program covers security, availability, and confidentiality.
PIPEDA-aligned practices
We handle personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). Your data is stored in Canada.
Canadian data residency
All data is stored in Canadian cloud regions. We do not transfer personal data outside Canada for processing.
Citation transparency
Every requirement shown in PermitPilot cites the official source it came from: City of Calgary bylaws, Alberta Building Code sections, AHS regulations, or other authoritative documents. We do not present AI-generated content as authoritative without a citation.
PermitPilot provides source-cited workflow assistance. Final approvals remain subject to City of Calgary review. Municipal requirements can change — always verify critical details against current official sources.
Security contact
To report a security vulnerability or make a data deletion request, contact us at security@permitpilot.com. We respond to security reports within one business day.