Xorvya Book a 20-min call
Trust Center

How we protect your data — and keep records defensible.

The factual version, for administrators, privacy officers, and IT reviewers. If you need more detail, ask — deeper documentation is available under NDA.

Data residency

All operational and resident data is stored in the AWS Canadian region, ca-central-1. Your data is stored in Canada.

Encryption

Encrypted at rest with AES-256 and in transit with TLS 1.2+. Keys are managed through cloud key-management services.

Access control

Role-based access with least privilege: staff see only what their role requires. Administrative access is protected with multi-factor authentication.

Record integrity

Each record milestone is preserved in a linked, tamper-evident history built on established standards: SHA-256 linked snapshots and independent RFC 3161 trusted timestamps. Exported packs carry a QR code for independent verification.

We publish the standards we build on; the specific methods that bind records together are proprietary.

AI configuration

AI assists with organizing and drafting; it never decides, approves, or submits. Every consequential step requires human review, and AI processing runs under a zero-data-retention configuration — prompts and outputs are not retained or used for training.

Privacy & PHIPA

Designed to operate as your service provider under PHIPA, following the privacy standards your home must meet. Privacy terms are established in writing before any resident data flows.

Subprocessors: AWS Canada for hosting; Anthropic for AI processing under zero-retention configuration.

Where we are on the maturity curve — honestly

SOC 2 Type II: the architecture is designed to support it; the audit is planned. Privacy impact and threat-risk assessments are co-authored with pilot partners. A third-party security audit is scheduled alongside our first paid pilot. We would rather tell you exactly where we are than claim certifications we have not earned.

Detailed security documentation is available under mutual NDA.

Our approach

A few commitments we hold ourselves to, on this site and in every conversation: we do not claim certifications we have not earned; we do not claim AI makes decisions; we explain precisely what tamper-evident means; and we keep today and roadmap distinct everywhere.

If you find anything on this site that does not meet that standard, tell us and we will fix it.

Security questions? Ask directly.

We answer privacy officers and IT reviewers ourselves, in plain language.

Contact us