Trust Centre

Security and compliance for sovereign Canadian AI.

Anitarian is built for legal, healthcare, financial, government, and defence teams handling sensitive Canadian data. This page summarizes our current security posture, compliance program, subprocessors, and requestable documentation.

Canadian-owned Canadian-hosted No customer-data training AES-256 + TLS 1.3 PIPEDA / Law 25 aligned
Compliance

Current program status.

Security and privacy controls are mapped against the frameworks Canadian buyers ask for most often.

FrameworkStatusScope
PIPEDAAlignedConsent, purpose limitation, retention, access, breach handling, and accountability controls.
Quebec Law 25AlignedPrivacy impact assessments, automated decision transparency, data minimization, and breach records.
CPCSC / defence procurementReadyCanadian hosting, audit trails, controlled access, vulnerability management, and procurement documentation.
SOC 2 Type IIIn progressControls implemented and evidence collection maintained; formal audit targeted after production observation period.
ISO 27001MappedPolicies and control owners mapped for future certification and enterprise due diligence.
PCI DSSNot applicable to Anitarian systemsPayment card data is not stored, processed, or transmitted by Anitarian application infrastructure.
Documentation

Trust documentation.

Public documents are linked directly. Restricted documents are available to customers and qualified prospects under NDA.

Restricted

Information Security Policy

Security governance, acceptable use, device standards, access control, incident response, and responsibilities.

Request access
Restricted

Access Control Policy

Least-privilege access, MFA, quarterly access reviews, role assignment, and offboarding procedures.

Request access
Restricted

Incident Response Plan

Severity levels, escalation paths, customer notification, regulator notification, and post-incident review.

Request access
Restricted

Business Continuity Plan

Backup, recovery, service continuity, disaster recovery testing, and critical supplier review.

Request access
Restricted

Data Processing Agreement

Customer data handling terms, subprocessors, retention, deletion, confidentiality, and support obligations.

Request access
Public

Privacy Policy

How Anitarian collects, uses, retains, and protects personal information.

View policy
Controls

Security controls in place.

Operational controls are designed for teams that need auditability, data residency, and disciplined change management.

Access control

MFA, role-based permissions, least privilege, documented access approvals, and scheduled access reviews.

Encryption

TLS 1.3 in transit and AES-256 at rest for customer content, databases, backups, and sensitive operational records.

Audit logging

Administrative activity, authentication events, system changes, and data access events are logged for review and evidence.

Vulnerability management

Dependency scanning, patch triage, production hardening, remediation SLAs, and third-party testing for critical surfaces.

Data residency

Customer prompts, documents, outputs, embeddings, and metadata are processed and stored on Canadian infrastructure.

AI governance

No customer-data training, source-aware outputs where applicable, human review workflows, and documented model-use boundaries.

Subprocessors

Third-party processors.

Subprocessors are limited to services required to operate, secure, and support the platform. Customer AI content stays within the Canadian data path unless a customer separately approves an exception.

ProviderPurposeData locationCommitments
Anitarian infrastructureCore application hosting, inference, storage, and logs.CanadaCanadian-owned, Canadian-operated, no customer-data training.
GitHubSource control, issue tracking, deployment evidence, and engineering workflow.United States / globalSOC 2, access controlled, no customer prompts or documents stored by default.
Google WorkspaceBusiness email, calendar, document collaboration, and customer support communication.Canada / United States / globalEnterprise security controls, MFA, contractual privacy commitments.
StripePayment processing for subscriptions and invoices.United States / globalPCI DSS; card data does not enter Anitarian systems.
No training on customer data. Anitarian does not use customer prompts, documents, responses, embeddings, account data, or metadata to train foundation models or improve third-party AI systems. This is enforced as an architectural and contractual boundary.
FAQ

Security questions.

Where is customer data stored?
Customer prompts, documents, outputs, embeddings, and operational metadata are stored and processed on Canadian infrastructure. Anitarian is designed to avoid US cloud regions and US parent-company jurisdiction for customer AI workloads.
Does Anitarian train models on customer data?
No. Customer data is not used for model training, fine-tuning, evaluation, or product improvement unless a customer signs a separate written agreement for a specific training project.
Can we get security documentation for procurement?
Yes. Customers and qualified prospects can request the security policy set, data processing agreement, incident response plan, continuity plan, and compliance mapping under NDA.
How does Anitarian handle a security incident?
Anitarian maintains an incident response process with severity classification, escalation, evidence preservation, customer notification, regulator notification where required, remediation tracking, and post-incident review.
Does Anitarian support Canadian privacy obligations?
Yes. The platform is aligned to PIPEDA and Quebec Law 25 requirements including purpose limitation, data minimization, retention, access controls, breach records, and documentation for privacy impact assessments.
How do I report a vulnerability?
Email team@anitarian.ai with details. We acknowledge reports, assess severity, and remediate according to internal SLAs.

Need a procurement package?

We can provide the trust documentation, compliance mapping, and technical answers your review team needs.