Trust & Security

How we handle your clients' data

Bo and every HNDL tool is built for Canadian mortgage brokers who handle sensitive client information every day. This page tells you exactly what we do with that data — where it lives, what protections are in place, and what we're still building.

No marketing language. If something isn't done yet, we say so.

Last updated: March 21, 2026  ·  Questions: andrew@hndl.app
PIPEDA Compliant Active
Canadian Data Hosting ca-central-1
AI Consent Gates In-product
Anthropic DPA No training on your data
Compliance Status

What's in place and what's coming

What's complete, what's in progress, and what we haven't done yet.

✓ PIPEDA ✓ PIPA BC ✓ CASL ✓ Canadian Data Hosting ✓ Anthropic DPA Signed ✓ AI Consent Disclosure ✓ TLS + AES-256 ↻ DPA Template — Q2 2026 ↻ Canadian Automation Hosting — Q2 2026
Data Storage & Residency

Your client data stays in Canada

Primary Database

All broker and client records are stored in Supabase, hosted in the ca-central-1 region (Montreal, Canada). No client mortgage data is stored outside Canada.

Application Hosting

The Bo application is hosted on Vercel's global edge network, with Canadian points of presence. No client mortgage data is stored in Vercel — only application code and session traffic.

Encrypted at Rest

Supabase encrypts all data at rest using AES-256. Database backups are encrypted and retained within the same Canadian region.

Encrypted in Transit

All connections between your browser and Bo are encrypted using TLS 1.2 minimum. There are no unencrypted data paths.

What does cross the border: AI processing uses Anthropic's Claude API, which operates on US-based infrastructure. This is disclosed to you before use and covered in detail in the AI Processing section below. Anthropic does not use your client data to train their models — this is confirmed in their Data Processing Addendum, which HNDL has signed.

AI Processing Disclosure

What happens when Bo uses AI on your files

Bo uses Anthropic's Claude AI to power summaries, analysis, and draft communications. Here is exactly what that means for your clients' data.

During account setup, you acknowledge this disclosure:

"Client information submitted to AI features in Bo is processed by Anthropic's Claude API, which operates on US-based servers. Anthropic does not use your data for model training. Processed data is not stored by Anthropic beyond the API request."

This consent is captured during onboarding and is on file. It is not buried in terms of service.

What Anthropic receives: Only the data you explicitly submit as part of an AI task — for example, a document you've uploaded for summarization, or a client note you've asked Bo to draft a response to. Anthropic does not receive your full client database or any passive background sync data.

What Anthropic does not do: Anthropic's API terms prohibit training models on customer data. HNDL has signed Anthropic's Data Processing Addendum (DPA), which contractually confirms: no model training on your data, 48-hour breach notification, deletion of processed data within 30 days of termination.

US data transfer: AI processing constitutes a cross-border data transfer under PIPEDA. We disclose this transfer, obtain consent during account setup, and rely on the Anthropic DPA as the contractual safeguard. This is the same approach used by every Canadian business that uses any cloud AI tool, and it complies with PIPEDA's accountability principle.

You can disable AI features: If you prefer not to use AI processing for any client, you can skip AI-powered features. Non-AI features remain fully available.

Subprocessors

Every third party that touches client data

We do not sell or share client data with any third party beyond the services listed here. We will notify active brokers via email before adding any new subprocessor that handles client data.

Service Purpose Data Center Data Processed
Supabase Primary database — all broker and client records ca-central-1 (Montreal, Canada) All structured client data, mortgage files, broker profiles
Vercel Application hosting and CDN Global edge network (Canadian PoPs included); compute in US East Session metadata, API requests, application traffic. Client mortgage records are not stored in Vercel.
Anthropic (Claude API) AI processing — summaries, drafts, analysis US (AWS us-east-1) Client data explicitly submitted for AI tasks only. Not retained post-request. Not used for training. DPA in place.
N8N Workflow automation — notifications, background tasks TBD — currently reviewing architecture to ensure Canadian hosting Workflow trigger metadata (record IDs, status flags). Designed to carry minimal client data. Architecture under review.
Didit (Complai only) Digital identity verification and biometric liveness detection Canada (ISO 27001 certified infrastructure) Government ID image and biometric selfie — deleted upon verification completion. Result (pass/fail) only is retained.

N8N architecture note: We are evaluating our automation infrastructure to ensure it runs on Canadian-hosted servers. Until that migration is complete, N8N workflows are designed to pass only record identifiers (not full client records) across their network. We will update this table when the architecture change is confirmed.

Security Controls

What we have in place today

Row-Level Security

Data isolation is enforced at the database layer via Supabase Row-Level Security — not just the application layer. You cannot access another broker's data, even if there were an application bug.

Access Control

HNDL staff access to production data is logged and restricted to the Privacy Officer. No shared credentials. No direct production database access from developer machines in normal operations.

Secrets Management

API keys and secrets are stored in environment variables, never in source code. Git repositories are private. Pre-commit checks prevent accidental secret exposure.

CI/CD Deployments

All production deployments go through Vercel's automated pipeline — not manual file transfers. Every deploy is versioned and reversible within minutes.

Data Retention

Mortgage file data is retained for 7 years as required by BCFSA regulatory obligations, then deleted. Newsletter and marketing data is deleted on unsubscribe.

BCFSA & Mortgage Services Act

How Bo addresses BC regulatory requirements

The incoming rule: The BC Mortgage Services Act (MSA), effective October 2026, requires that mortgage brokerages "keep those records in British Columbia" (Section 32). This is a stricter standard than the current Mortgage Brokers Act, which has no geographic requirement.

How Bo addresses this: All client records are stored in Supabase's ca-central-1 region (Montreal). Bo also provides full data export on demand, so you can maintain a local copy of your records in BC at any time — which is the practical compliance path BCFSA itself has documented for cases where the server is outside BC.

What every BC broker should know: Every major mortgage software platform currently used by BC brokers — Newton Velocity, FINMO, Salesforce — runs on infrastructure outside BC, and none of them have published BC-specific data residency documentation. The entire industry will face this same question when the MSA takes effect. BCFSA will need to publish formal guidance on cloud-hosted software compliance.

Our commitment: We are monitoring MSA implementation guidance from BCFSA and CMBA-BC. When guidance is published, we will update our architecture and this page. Bo is designed to make records exportable and inspection-ready — which is the practical standard regulators are moving toward.

Current law (MBA, in force until October 2026): No geographic requirement for records. Full stop. You are compliant using Bo today.

Identity Verification (Complai)

FINTRAC-compliant digital ID verification

When clients verify their identity through Complai, here is how their biometric data is protected.

ISO 27001 Infrastructure

Our identity verification provider's infrastructure is ISO 27001 certified — the international standard for information security management systems.

iBeta Level 1 Certified

Biometric liveness detection is independently certified to ISO 30107-3 (iBeta Level 1), preventing spoofing with photos, videos, or masks.

Biometrics Deleted on Completion

ID images and biometric selfie data are used solely for the identity check. Once verification is complete, all biometric data is permanently deleted. Only the result is retained.

FINTRAC Method Compliant

Digital ID verification using government-issued photo ID with facial matching is one of FINTRAC's five authorized methods under the PCMLTFA.

Your Rights

What you can ask us to do with your data

Access your data. Request a full export of all data we hold about you and your clients. We will provide this in a portable format (JSON or CSV) within 10 business days.

Correct your data. If any information we hold is inaccurate, contact us and we will correct it promptly.

Delete your data. When you close your account, your data is deleted from active systems within 30 days. Mortgage file data subject to the 7-year BCFSA retention requirement is held in a secure, inactive archive for that period before deletion.

Withdraw AI consent. You can disable AI processing features at any time from your account settings. Non-AI features remain fully functional.

Lodge a complaint. If you believe we've handled your data incorrectly, you can contact the Office of the Privacy Commissioner of Canada at priv.gc.ca or the BC Office of the Information and Privacy Commissioner at oipc.bc.ca.

To exercise any of these rights: andrew@hndl.app

✓ PIPEDA rights ✓ PIPA BC rights ✓ CASL unsubscribe within 10 days ✓ Data portability on request ✓ Right to erasure
Incident Response

What we do if something goes wrong

If we discover a security incident involving broker or client data:

Within 24 hours: We assess scope and nature of the incident.

Within 72 hours: If the incident involves personal information and creates a real risk of significant harm, we notify affected brokers directly via email and report to the Office of the Privacy Commissioner of Canada as required under PIPEDA.

Documentation: We record the incident, our response, and corrective actions taken.

The accountability structure is clear: incidents are owned by the Privacy Officer, Andrew Homeyer, reachable at andrew@hndl.app and by phone.

For security vulnerability reports: Email andrew@hndl.app with subject line "Security Vulnerability." We will acknowledge within 24 hours.

Roadmap

Where we are and where we're going

Completed items are done. In-progress targets are commitments, not marketing.

PIPEDA Compliance ✓ Complete Canadian federal privacy law. Ongoing.
PIPA BC Compliance ✓ Complete BC provincial privacy act. Ongoing.
CASL Compliance ✓ Complete Email consent and unsubscribe. Ongoing.
Canadian Data Residency ✓ Complete Supabase ca-central-1 (Montreal). Active.
Anthropic DPA ✓ Signed No training on client data. 48hr breach notification.
AI Consent Disclosure ✓ Complete In-product gate before every AI action on client data.
DPA Template (for brokers) ↻ Q2 2026 Legal contract governing how HNDL handles broker client data. Custom agreements available on request in the interim.
Canadian Automation Hosting ↻ Q2 2026 Migrating workflow automation to Canadian-hosted infrastructure. Currently EU-hosted; designed to carry minimal client data.
Contact

Questions, DPA requests, security reports

Privacy Officer: Andrew Homeyer
Email: andrew@hndl.app
Company: HNDL Inc.
Address: Surrey, BC, Canada

Request a DPA

Email andrew@hndl.app with subject: "DPA Request — [brokerage name]." Response within 5 business days. Our standard template is in progress; we'll work on a custom agreement in the interim.

Security Questionnaire

We'll complete standard security questionnaires within 10 business days. Email andrew@hndl.app with the questionnaire attached.

Data Export or Deletion

Email andrew@hndl.app with subject: "Data Export Request" or "Account Deletion Request." Fulfilled within 10 business days.

Vulnerability Report

Email andrew@hndl.app with subject: "Security Vulnerability." We acknowledge within 24 hours and investigate every report.