Get local business tips
Join 200+ owners getting weekly growth tips. No spam, unsubscribe anytime.
Bilingual EN/FR
Encryption in Transit & at Rest
Daily Backups
Encryption in transit and at rest. Daily backups.
Join 200+ owners getting weekly growth tips. No spam, unsubscribe anytime.
Encryption in transit and at rest. Daily backups.
How we protect your data and meet regulatory requirements.
Every compliance claim on our site is backed by this registry. No badge appears without a verified status here.
Full compliance with Quebec's Act Respecting the Protection of Personal Information in the Private Sector. Consent collection, data portability, erasure workflows, privacy officer designated.
Last verified: 2026-03-30
Compliant with the Personal Information Protection and Electronic Documents Act. Data access, correction, and deletion rights enforced.
Last verified: 2026-03-30
VentureHelm is a Canadian-owned, Canadian-incorporated company (NEQ 2281985277). No US parent, US subsidiary, or US-incorporated entity in the corporate chain. The corporate entity itself is not subject to the US CLOUD Act.
Last verified: 2026-04-10
Non-AI customer data (database records, files, invoices, communications) is stored exclusively in Canadian data centres and is not accessible to any US subprocessor. SMB AI features use Anthropic (US), which IS subject to CLOUD Act — prompt content could theoretically be compelled via Anthropic. For zero CLOUD Act exposure in the AI path, our Enterprise Founding Partner deployments use Ollama on customer-controlled infrastructure.
Last verified: 2026-04-10
Audit in progress, target completion Q4 2026. Security controls aligned to Trust Services Criteria.
PHIPA-aligned for self-hosted Founding Partner deployments where the healthcare organization controls the infrastructure. Data residency, access controls, and audit logging meet PHIPA requirements when deployed on-premises or in a dedicated Canadian cloud environment.
OSFI E-23 aligned via private Founding Partner deployment. Model risk management controls, audit trails, and AI governance features support compliance when deployed in a regulated financial institution's environment.
Protected B capable in air-gapped Sovereign deployment configuration. Architecture assessed for Protected B classification requirements. Full compliance requires deployment in a GC-accredited hosting environment.
Security control framework self-assessed against ITSG-33. Pre-built evidence packages for SA&A assessments. Third-party assessment planned as part of Protected B accreditation process.
All client-facing surfaces are bilingual (English and French): marketing pages, portal, emails, SMS, and AI responses. Internal founder/admin pages are English-only.
Row-level tenant separation enforced at the ORM, session, file upload, agent memory, and audit log layers. Cross-tenant access attempts return HTTP 403.
Last verified: 2026-04-11
Privacy Impact Assessment covering the 6 webhook event types shipped in Plan 29. Documents PII inventory, 60-day retention, HMAC safeguards, required customer contractual obligations. Draft status until founder signs the 4 decisions in PIA §11.
Last verified: 2026-04-11
Third-party services that process data on our behalf. Each is vetted for security and data handling practices.
| Service | Purpose | Country | Notes |
|---|---|---|---|
| Stripe | Payments | US (Canadian merchant) | PCI DSS Level 1. Payment data never touches our servers. |
| Resend | Email delivery | US | Email delivery only. No customer data stored. |
| Twilio | SMS delivery | US | SMS for review requests, booking confirmations, AI receptionist. |
| Review automation | Multi-region | Google Business Profile API. User-initiated sync only. | |
| Anthropic (Claude) | SMB AI inference | US | Contractual no-training clause. Enterprise tier uses local Ollama instead. |
| Cloudflare | CDN / security | Global edge | Edge processing only. Origin servers remain in Canada. |
| Ollama | Enterprise AI | Customer-controlled | Runs on customer infrastructure. No data leaves customer network. |
All data encrypted with AES-256 at rest and TLS 1.3 in transit. Database connections use SSL.
Primary application data is hosted on secure infrastructure. Some service providers or integrations may process limited data outside Canada as described in our documentation.
Every client has a dedicated tenant with row-level security. No data leakage between tenants.
We notify affected customers and regulators when required by applicable law. Security contact: [email protected]
In the event of a data breach affecting customer information, we will promptly notify affected customers via email, notify applicable privacy regulators as required by law, publish a notice on this page, and provide a clear description of what happened, what data was affected, and what we are doing about it.