Security & Trust
How your permit documents are actually handled
Last updated: April 23, 2026
Van Permit Audit exists to read your architectural drawings and permit documents, files that often contain your name, your home address, and the financial structure of a construction project. That is a real trust ask. This page describes our current security posture honestly: what is built today, what is still on the compliance roadmap, and what questions to put to us before an enterprise procurement decision. Nothing here is aspirational marketing: if a control is not in place yet, it says so.
How your data moves through the service
1. Browser (HTTPS, TLS 1.3) → Vercel edge network
Static frontend only. Uploaded files pass through without inspection.
2. Vercel edge → Render backend (TLS 1.3)
Backend API authenticates, sanitizes input, enforces rate limits.
3. Uploaded PDF → pypdf text extraction (in memory)
The binary PDF is never written to persistent disk.
4. Extracted text → Anthropic Claude API (TLS)
Text only, no image bytes. Anthropic's API terms prohibit training on inputs.
5. Analysis result → SQLite on Render (encrypted disk)
Your report lives here. Purged on account deletion.
6. Certificate PDF → generated on-demand, served once, not cached at rest
Infrastructure and hosting
Canadian data residency: the self-serve product currently runs in US West. If your firm's policy or PIPEDA obligations require Canadian-soil storage, contact enterprise@vanpermitaudit.com before subscribing. Canadian-only deployment is available at the Enterprise tier.
Data storage and retention
The full retention schedule, including CRA-mandated 7-year payment-record retention, is documented in the Privacy Policy.
Authentication and access control
Encryption
Compliance roadmap
We are a small team and we are being transparent rather than aspirational. This is our current compliance trajectory, not a marketing promise.
Responsible disclosure
If you discover a security vulnerability in Van Permit Audit, please email security@vanpermitaudit.com with a description of the issue, steps to reproduce, and any proof of concept. We acknowledge within two business days and aim to resolve critical issues within seven days of confirmation. We do not currently run a bug-bounty program, but we publicly credit researchers who disclose responsibly, unless you prefer anonymity. We do not take legal action against good-faith security research that stays within the scope of the disclosure policy.
Breach notification
Under PIPEDA's mandatory breach-reporting regulations, any breach of security safeguards involving personal information that poses a real risk of significant harm to individuals must be reported to the Office of the Privacy Commissioner of Canada and to affected individuals. Our internal commitment is notification within 72 hours of becoming aware of such a breach. Notifications include the facts of the breach, the approximate number of affected users, the likely consequences, the mitigation steps taken, and the contact point for follow-up questions.
Common questions before you buy
If your procurement process requires a vendor-risk assessment, an InfoSec questionnaire, a Data Processing Agreement (DPA), or a custom Master Service Agreement (MSA), contact enterprise@vanpermitaudit.com before subscribing. We would rather answer hard questions upfront than lose your trust later. Our standard MSA and DPA templates are published on the Legal & Agreements page: most procurement reviews can be completed against those templates without a back-and-forth.