Full transparency on where your data lives, how our AI handles queries, and how we align with BCFSA guidance and Canadian privacy law — with no fine print.
🇨🇦 AWS Canada Central — Montréal, QC
✓ PIPEDA-aligned (self-assessed)
⚠ Ask Uni AI: OpenAI API · Zero retention
🛡️ BCFSA AI Governance Principles
🗄️ Data Residency
Exactly where your data lives
Every piece of community data HoAIunified collects is stored in Canada. Below is a complete breakdown by data category, storage location, and whether it ever crosses the border.
Data Category
What it includes
Where it's stored
Crosses border?
Community profiles
Units, residents, roles, ownership records
Unit numbers, owner/tenant names, contact info, roles (board, resident, manager)
🇨🇦 AWS ca-central-1Montréal, QC
✓ Never
Maintenance requests
Work orders, status, vendor assignments
Request descriptions, photos, vendor notes, status history, timestamps
🇨🇦 AWS ca-central-1Montréal, QC
✓ Never
Documents
Bylaws, financials, minutes, forms
Uploaded files (PDF, DOCX, XLSX), version history, AI-generated index embeddings
Amenity name, booking slot, resident identifier, cancellation history
🇨🇦 AWS ca-central-1Montréal, QC
✓ Never
Ask Uni AI queries
Questions submitted to our AI assistant
The text of questions submitted by users, plus relevant document excerpts retrieved from your Canadian document store (RAG context)
⚠ OpenAI APIUS-based inference servers
⚠ Query text only
Platform logs & analytics
Error logs, usage metrics, audit trails
System events, API call logs (no personal content), anonymized usage statistics
🇨🇦 AWS ca-central-1Montréal, QC
✓ Never
🤖 AI Transparency
How Ask Uni handles your data
Ask Uni is powered by OpenAI's API. We want you to know exactly what that means — because transparency is how we earn your trust.
📤
What leaves Canada
When you ask Ask Uni a question, the query text you type — and any relevant document excerpts retrieved from your community's document library — are sent to OpenAI's API to generate an answer. The underlying source documents never leave Canada; only the retrieved context for that specific query is included in the API call.
⚠ Query text: OpenAI API (US)
🛡️
OpenAI's data commitment
Under OpenAI's API Data Processing Agreement, data submitted via the API is not used to train OpenAI models. OpenAI retains API data for a maximum of 30 days for abuse monitoring, then it is deleted. This is separate from ChatGPT — API data is handled under stricter enterprise terms.
✓ Zero training retention
🔭
What Ask Uni can see
Ask Uni only has access to documents and data scoped to the user's role and community. A resident cannot query another resident's information. A property manager can only access communities they manage. Role-based access is enforced on every single API request.
✓ Role-scoped access
📋
Full audit trail
Every Ask Uni interaction is logged in Canada: timestamp, user role, community ID, and a summary of the query. Organization admins can access this full log at any time. No AI interaction is invisible to your administrators.
✓ Logged in Canada
Why we're transparent about this: Some software vendors claim "all data stays in Canada" while quietly routing AI queries through US servers. We believe that approach breaks trust. Our community data is stored entirely in Canada. Our AI inference routes through OpenAI's US API under a zero-retention agreement. We'd rather tell you clearly than hide it in a footnote.
🔐 Security Architecture
How we protect your data technically
Security is built into every layer — not bolted on afterward.
🏘️
Complete tenant isolation
Every HOA, strata, or condo community is isolated at the database row level. There is no way for data from one community to appear in another, even in edge cases or errors. Each organization operates in a fully isolated data partition.
✓ Row-level isolation
🔒
Encryption everywhere
All data is encrypted in transit using TLS 1.3 and at rest using AES-256. This applies to your community data, uploaded documents, and all database records. No plaintext data is ever stored or transmitted.
✓ TLS 1.3 + AES-256
🎟️
JWT authentication
Every API endpoint requires a signed JWT token. Tokens are short-lived and scoped to the specific user's role and community. There are no shared credentials, no session cookies that can be hijacked across communities.
✓ Per-request auth
👁️
Role-based access control
Five distinct roles — Super Admin, Property Manager, Board Member, Resident, Vendor — each with strictly defined permissions. Access is enforced at the API level, not just the UI. Residents can never access board-only or manager-only data regardless of how they interact with the API.
✓ 5-tier RBAC
🔑
Secrets management
API keys, database credentials, and third-party integration tokens are stored in AWS Secrets Manager — never in environment variables or source code. Secrets are rotated on a scheduled cadence and never logged.
✓ AWS Secrets Manager
📡
Infrastructure on AWS Canada
Our application backend and databases run on AWS ca-central-1 (Montréal, Québec). AWS is certified under ISO 27001, SOC 1/2/3, and PCI DSS. We inherit the physical security and infrastructure compliance of one of the world's most audited cloud providers.
✓ AWS ca-central-1
🏛️ BCFSA AI Governance
How we align with BCFSA guidance
The BC Financial Services Authority (BCFSA) requires licensed strata and property managers to apply sound governance when using AI tools on behalf of communities. HoAIunified is designed to meet these expectations across five core principles.
BCFSA Principle
How HoAIunified addresses it
Status
1. Transparency
Ask Uni responses are always clearly labelled as AI-generated. Users are never misled into thinking they are receiving advice from a licensed human professional. Every AI response includes a disclaimer encouraging users to consult their property manager or legal counsel for official decisions.
✓ Live
2. Human Oversight
No action taken by Ask Uni is irreversible without human approval. Property managers and board members can review, correct, override, or delete any AI-generated response. The platform does not auto-execute any governance action based on AI output alone.
✓ Live
3. Data Minimization
Ask Uni only accesses data scoped to the requesting user's role and community. Residents cannot query other residents' personal information. Managers see only their assigned communities. AI context is limited to what is necessary to answer the specific query.
✓ Live
4. Accountability
Every AI interaction is logged with a timestamp, user role, community ID, and query summary. Organization admins can download a full audit trail at any time. This creates a clear record of how AI was used — essential for regulatory inquiries or disputes.
✓ Live
5. Accuracy & Grounding
Ask Uni answers are grounded in your community's own uploaded documents using retrieval-augmented generation (RAG). This dramatically reduces hallucination risk compared to a model answering from general internet knowledge. Responses include citations to the source document when available.
✓ Live
Important — self-assessed alignment: HoAIunified's alignment with BCFSA AI governance guidance is self-assessed based on our reading of BCFSA publications and applicable regulatory guidance. HoAIunified has not been formally reviewed, audited, or approved by BCFSA. Property managers using AI tools remain responsible for their own regulatory compliance. We recommend consulting your regulatory advisor if you have specific compliance questions.
⚖️ Canadian Privacy Law
PIPEDA & provincial alignment
Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) sets the baseline for how private-sector organizations must handle personal information. Here is how our practices align.
✅
Consent & purpose
We collect personal information only for the purpose of operating the platform — community management, communication, and maintenance workflows. We do not sell, share, or monetize your community's data. Consent is obtained at the time of onboarding and documented.
📦
Data minimization
We collect only what is necessary to provide the service. We do not ask for SIN numbers, financial account details, or health information. Profile data is limited to what is needed for community management functions.
🚪
Access & correction
Residents can request access to their personal data at any time by contacting hello@hoaiunified.com. Organization admins can export resident data directly from the platform. Correction requests are fulfilled within 30 days.
🗑️
Deletion on request
When a community offboards from HoAIunified, all community data is deleted from our systems within 30 days. Individual deletion requests from residents can be submitted to hello@hoaiunified.com and are processed within 30 days.
🗺️ Compliance Roadmap
Where we are & where we're going
We are an early-stage platform committed to raising our compliance posture as we grow. Here is our current status and what is on the roadmap.
✅
Canadian data residency (AWS ca-central-1)
All community data stored exclusively in Montréal, QC. No cross-border data replication at rest.
Live
✅
TLS 1.3 + AES-256 encryption
All data encrypted in transit and at rest across all environments.
Live
✅
Role-based access control (RBAC)
Five-tier permission system enforced at the API level on every request.
Live
✅
OpenAI DPA — zero training retention
Operating under OpenAI's API Data Processing Agreement. Query data not used for model training.
Live
✅
AI audit trail & logging
All Ask Uni interactions logged with timestamp, role, community ID, and query summary. Available to admins.
Live
🔄
Penetration testing (third-party)
Engaging an independent security firm to conduct a full application penetration test. Results will inform a public security report.
In progress — 2026
📅
SOC 2 Type II audit
Formal third-party audit of our security, availability, and confidentiality controls. Required for enterprise property management company onboarding.
Q3 2026 target
📅
Formal PIPEDA attestation
Independent legal review and formal attestation of our PIPEDA compliance practices by a Canadian privacy counsel.
Q4 2026 target
📅
ISO 27001 certification
International information security management standard. Target for when we reach Enterprise tier scale.
2027 target
❓ FAQ
Common questions
Straight answers to what property managers and strata councils ask us most.
No. HoAIunified uses OpenAI's API, not ChatGPT. Under OpenAI's API Data Processing Agreement, data submitted via the API is explicitly not used for training OpenAI models. OpenAI retains API data for up to 30 days for abuse monitoring purposes only, then it is permanently deleted. You can read OpenAI's API data usage policy at openai.com/policies/api-data-usage-policies.
All community data — resident records, documents, maintenance requests, votes, bookings, and logs — is stored on AWS ca-central-1, which is located in Montréal, Québec, Canada. AWS operates two availability zones in this region (ca-central-1a and ca-central-1b). We use multi-AZ configuration for database reliability. No data is replicated to US or EU regions.
No. BCFSA does not certify or formally approve software vendors. Our alignment with BCFSA AI governance guidance is self-assessed based on our review of BCFSA's published guidance documents. Property managers remain responsible for their own regulatory compliance when using any third-party software. We recommend consulting your regulatory advisor if you have specific compliance questions.
Yes. Residents or property managers can submit a data deletion request to hello@hoaiunified.com. We will process the request within 30 days. When a community offboards from HoAIunified, all community data is deleted from our active systems within 30 days. Backup data is purged on a rolling 90-day cycle.
In the event of a confirmed data breach affecting personal information, we will notify affected organizations within 72 hours of discovery, consistent with PIPEDA's breach of security safeguards requirements. We will provide a written incident report including the nature of the breach, data affected, steps taken to contain it, and recommended actions for affected individuals. We also notify the Office of the Privacy Commissioner of Canada (OPC) as required by PIPEDA.
No. Ask Uni does not browse the internet or access any external data sources. It answers questions by searching your community's own uploaded document library (using retrieval-augmented generation). This means answers are grounded in your bylaws, minutes, policies, and forms — not general internet content. This design significantly reduces hallucination risk and keeps responses relevant to your specific community's rules and context.
Yes. Enterprise and Professional tier customers can request a formal Data Processing Agreement. Please contact hello@hoaiunified.com with your request and we will provide our standard DPA for review. Custom DPA terms are available for large property management companies with specific contractual requirements.
Have compliance questions? We'll answer them directly.
Enterprise buyers and property management companies — reach out before you onboard. We're happy to discuss your specific regulatory environment, provide our standard DPA, or connect you with our technical team.