Your trade compliance data stays in Canada.
We host every piece of regulated product data in Canadian-resident infrastructure. When we need a service that doesn’t offer a Canadian region, we pick the closest jurisdictional fit to Canada’s PIPEDA regime — which means EU vendors, not US ones, for telemetry. This page names every vendor, every region, and every category of data they touch.
Product data stays in Canada
Supabase Montreal holds every assessment, HS classification, ruling search, chat message, tenant record, and API key. We use Cohere (Canadian-headquartered) for embeddings; their regional routing follows Cohere’s published residency policy. The pipeline that ingests public CBP and CBSA data runs on an OVH VPS in Beauharnois, Québec.
Closest jurisdictional fit when Canadian isn’t available
Session replay, error tracking, uptime monitoring, and support inbox vendors don’t offer Canadian regions. We pick EU Frankfurt because GDPR — post-Schrems II — is a tighter jurisdictional neighbour to PIPEDA than US law. PostHog, Sentry, Better Stack, and Plain all run in EU. Telemetry is masked; customer product data never flows through these paths.
Payments + LLMs go through US vendors
Stripe is the only viable payments stack for Canadian SaaS. Card data lives with Stripe under their PCI-DSS Level 1 posture; we store only the Stripe customer_id and subscription state in our Canadian database. Anthropic Claude runs in US regions when you use chat or AI classification. Chat inputs are structurally sanitized against prompt injection; we do not automatically redact personal information from user-typed chat content, so do not paste data into chat you don’t want sent to Anthropic.
Every vendor, every jurisdiction
No “third-party providers” hand-wave. Here’s the full list.
| Vendor | Jurisdiction | Region | Data processed | Notes |
|---|---|---|---|---|
Supabase Product data | Canada | Montreal (ca-central-1) | Product data — user profiles, assessments, rulings, tenant records, API keys | Canadian-resident regulated data stays here |
Cohere Product data | Canada (headquartered) | Per Cohere residency documentation | Embeddings (1024-dimension vectors) at inference time | Canadian-headquartered vendor; data-residency guarantees follow Cohere’s published policy — we rely on their documentation for region specifics. Embeddings are generated at query time and not retained by Cohere. |
OVH Product data | Canada | Beauharnois, Québec | VPS running pipeline cron jobs; extracts public data and writes back to Supabase | Public-data pipeline only; no customer data on the VPS itself |
Backblaze B2 Product data | Canada | ca-central-1 (to be provisioned — L-012) | Encrypted database backups | Provisioning in progress; encryption keys held by ClearOrigin |
PostHog Telemetry | European Union | Frankfurt (eu.i.posthog.com) | Product analytics + masked session replay | Masked — PII disclosed in Privacy Policy; customer product data never flows here |
Sentry Telemetry | European Union | EU region (configurable) | Error tracking | Only user_id + tier attached to errors — no email, no company, no payload |
Better Stack Telemetry | European Union | EU region (to be provisioned — L-004) | Uptime monitoring + public status page | Probes public endpoints only; no customer data transferred |
Plain Telemetry | European Union | Frankfurt (to be provisioned — L-008) | Customer support conversations | You choose what to share in a support ticket; we keep context minimal |
Anthropic Commerce | United States | US | Claude LLM — chat, classification reranking, summaries | Structurally sanitized against prompt injection. We do NOT automatically redact PII from user-typed chat content — do not paste personal data you don’t want sent to Anthropic. |
Stripe Commerce | United States + Ireland | US primary; Ireland for EU VAT processing | Payment card data; subscription state | Card data never stored by ClearOrigin; we keep only the customer_id |
Resend Commerce | United States | US | Transactional email (billing + dunning) | Delivery metadata only; emails generated from your account record |
Vercel Commerce | United States | Global edge (including Canadian edge nodes) | Web hosting + serverless runtime | Request routing via Canadian edges where available |
Cloudflare Commerce | Global | Anycast | Edge CDN, WAF, DDoS protection | No customer-identifying payloads inspected; TLS terminates closest node |
Vendor region changes are treated as material: affected customers get 30 days notice per our Privacy Policy (section 13) before a switchover.
PIPEDA + cross-border transfer posture
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) permits transfers of personal information to third parties in other jurisdictions when the transferring organization ensures comparable protection by contract or equivalent means. Québec’s Law 25 imposes an additional pre-transfer assessment obligation, which we meet through a documented vendor inventory — this page is the public excerpt.
When we can’t host in Canada, we select EU regions over US regions. Post-Schrems II, the EU GDPR framework offers a stronger alignment to PIPEDA’s consent and purpose-limitation principles than US federal privacy law, which remains sector-specific. We treat EU Frankfurt as the nearest jurisdictional neighbour to Canadian-resident data.
Your regulated product data — assessments, rulings, chat transcripts, certificates, tenant records — never flows to US-based vendors unless you invoke a feature that requires it. The only US-vendor touchpoint in the default flow is Stripe (billing) and Resend (transactional email for billing). Anthropic Claude is invoked only when you open a chat or use AI-assisted classification. We structurally sanitize chat requests against prompt injection, but we do not automatically redact personal information you type into a chat message — chat content you send is content Anthropic receives.
Enterprise FAQ
Can we require Canadian-only telemetry?
White-label tier (custom contract, $12K+/yr) only. Contact sales@clearorigin.ai and we can negotiate a Canadian-only posture — a Canadian telemetry stack involves engineering and vendor tradeoffs (self-hosted PostHog or alternative providers) and the contract reflects that.
Do you use US-based LLMs?
Yes — Anthropic Claude runs in US regions and powers chat, AI-assisted classification, and ruling summaries. Requests are structurally sanitized against prompt injection, but we do not automatically redact user-supplied personal information from chat content. Treat chat as a channel that sends whatever you type to Anthropic. Source documents we feed the model — CBP and CBSA rulings — are public records. Under Anthropic’s commercial terms, chat content is not retained to train models.
Can we audit your residency posture?
Yes — white-label customers get contract-scoped audit rights (annual, reasonable scope, NDA-covered). Pro and Business tiers receive our standard DPA and the public Privacy Policy; custom audits are not included at those tiers.
What happens if a vendor changes region?
Vendor regions are part of our vendor inventory and any change triggers a security review before the switchover. Affected customers receive 30 days lead time per our Privacy Policy (section 13) before their data migrates.
Can we get a Data Processing Agreement?
Yes — contact legal@clearorigin.ai. Pro and Business tiers sign our standard DPA; Enterprise and white-label tiers get custom DPAs negotiated against your procurement requirements.