Security & Trust

How your permit documents are actually handled

Last updated: April 23, 2026

Van Permit Audit exists to read your architectural drawings and permit documents, files that often contain your name, your home address, and the financial structure of a construction project. That is a real trust ask. This page describes our current security posture honestly: what is built today, what is still on the compliance roadmap, and what questions to put to us before an enterprise procurement decision. Nothing here is aspirational marketing: if a control is not in place yet, it says so.


How your data moves through the service

1. Browser (HTTPS, TLS 1.3) → Vercel edge network

Static frontend only. Uploaded files pass through without inspection.

2. Vercel edge → Render backend (TLS 1.3)

Backend API authenticates, sanitizes input, enforces rate limits.

3. Uploaded PDF → pypdf text extraction (in memory)

The binary PDF is never written to persistent disk.

4. Extracted text → Anthropic Claude API (TLS)

Text only, no image bytes. Anthropic's API terms prohibit training on inputs.

5. Analysis result → SQLite on Render (encrypted disk)

Your report lives here. Purged on account deletion.

6. Certificate PDF → generated on-demand, served once, not cached at rest


Infrastructure and hosting

Frontend / CDNVercel: global edge network, 100+ points of presence
Backend APIRender: US West (Oregon). Canadian data residency at Enterprise tier on request.
DatabaseSQLite on Render persistent disk (AES-256 block-storage encryption)
AI processingAnthropic API: US-based. Inputs not used for model training per Anthropic's API terms.
Payment processingStripe: PCI DSS Level 1. Card data never touches our servers.
DNS and edge securityCloudflare: handles DNS, DDoS mitigation, and bot filtering at the edge.

Canadian data residency: the self-serve product currently runs in US West. If your firm's policy or PIPEDA obligations require Canadian-soil storage, contact enterprise@vanpermitaudit.com before subscribing. Canadian-only deployment is available at the Enterprise tier.

Data storage and retention

Uploaded PDFsNever written to disk. Extracted to plaintext in memory and discarded after the analysis run.
Extracted project textStored in SQLite linked to your session / run ID for up to 90 days, then purged.
Analysis resultsStored in SQLite, accessible via your Permit Vault. Retained for the life of the account.
Generated certificatesBuilt on-demand from stored results. Not cached at rest.
Account dataEmail, bcrypt-hashed password, profile. Retained until account deletion + 30-day grace.
Audit logsRequest metadata (no document content). Retained 12 months for security monitoring.
Account deletionEmail support@vanpermitaudit.ca: all personal data deleted within 30 days, confirmed in writing.

The full retention schedule, including CRA-mandated 7-year payment-record retention, is documented in the Privacy Policy.

Authentication and access control

Passwordsbcrypt with per-user salt. Plaintext passwords are never stored or logged.
Session tokensJWT, 72-hour expiry, signed with HS256. Stored in browser localStorage.
API rate limitingPer-IP slowapi rate limits on every endpoint; hard caps on upload and registration endpoints.
Input sanitizationAll user-supplied text passes through bleach HTML sanitization before storage or use in prompts.
File validationpython-magic MIME-type check on every upload. Only application/pdf accepted.
Admin accessAdmin endpoints gated by X-Admin-Key header. Admin credentials kept out of source control.
SSO / SAMLNot yet available. Roadmap: Q4 2026. Contact enterprise@vanpermitaudit.com for priority.
Multi-factor authNot yet available. Roadmap: Q3 2026.

Encryption

In transitTLS 1.3 on all frontend, API, and third-party connections. HSTS enforced.
At rest (SQLite)Render persistent disk encryption (AES-256) at the block-storage layer.
At rest (application)No additional application-layer envelope encryption at present (roadmap: Q1 2027).
BackupsDaily SQLite backup to encrypted storage; restore procedure tested quarterly.
Password hashingbcrypt with a work factor of 12. Upgraded in place on login if the factor ever changes.

Compliance roadmap

We are a small team and we are being transparent rather than aspirational. This is our current compliance trajectory, not a marketing promise.

SOC 2 Type ITarget Q4 2026
SOC 2 Type IITarget Q2 2027
PIPEDA compliance reviewIn progress, legal review underway
Canadian data residencyAvailable at Enterprise tier on request
ISO 27001Not currently planned
Penetration testingScheduled Q3 2026
Multi-factor authenticationTarget Q3 2026
SSO / SAML for EnterpriseTarget Q4 2026

Responsible disclosure

If you discover a security vulnerability in Van Permit Audit, please email security@vanpermitaudit.com with a description of the issue, steps to reproduce, and any proof of concept. We acknowledge within two business days and aim to resolve critical issues within seven days of confirmation. We do not currently run a bug-bounty program, but we publicly credit researchers who disclose responsibly, unless you prefer anonymity. We do not take legal action against good-faith security research that stays within the scope of the disclosure policy.

Breach notification

Under PIPEDA's mandatory breach-reporting regulations, any breach of security safeguards involving personal information that poses a real risk of significant harm to individuals must be reported to the Office of the Privacy Commissioner of Canada and to affected individuals. Our internal commitment is notification within 72 hours of becoming aware of such a breach. Notifications include the facts of the breach, the approximate number of affected users, the likely consequences, the mitigation steps taken, and the contact point for follow-up questions.

Common questions before you buy

If your procurement process requires a vendor-risk assessment, an InfoSec questionnaire, a Data Processing Agreement (DPA), or a custom Master Service Agreement (MSA), contact enterprise@vanpermitaudit.com before subscribing. We would rather answer hard questions upfront than lose your trust later. Our standard MSA and DPA templates are published on the Legal & Agreements page: most procurement reviews can be completed against those templates without a back-and-forth.


Related