Trust Centre

We protect your procurement data with industry-standard security controls at every layer.

• All data encrypted in transit (TLS 1.2+) and at rest (AES-256).
• Authentication via Google OAuth — no passwords stored. Operator accounts require TOTP multi-factor authentication.
• Row-Level Security on every database table. Role-based access with least-privilege policies.
• Structured logging, audit trails for all user and operator actions, and defined incident response procedures (P1–P4).
• Automated CI/CD with typecheck, lint, test suite, build verification, and dependency vulnerability scanning.
• SOC 2 Type II programme in progress.

All primary storage stays in Canada. AI processing may cross borders as disclosed below.

• All primary data is stored in Canada (Supabase ca-central-1).
• No cross-border data transfers for storage or database operations. AI processing uses Anthropic’s Claude API, which may process data in the US as disclosed in our privacy policy.
• View our full sub-processor list

We follow the Personal Information Protection and Electronic Documents Act.

• You have the right to access, correct, and delete your personal information at any time.
• PIPEDA-compliant account deletion with PII anonymisation. Soft-delete with 90-day retention before permanent purge.
• 72-hour breach notification commitment for any breach creating a real risk of significant harm.
• Consent is collected at the point of collection and can be withdrawn at any time.
• Read our full Privacy Policy

Every AI-generated output in Alverik is clearly labelled, designed with Ontario's Bill 194 AI transparency requirements in mind.

• All AI-generated content — drafts, scores, health checks, and profile suggestions — is clearly marked with a visible disclaimer.
• AI outputs are decision-support tools. They inform your review but do not replace human judgement.
• Your data is never used to train AI models. Anthropic's commercial API terms prohibit training on customer data.
• Every AI call is logged with full token breakdown and cost tracking per subscriber.

Alverik follows Canada’s Anti-Spam Legislation for all electronic communications.

• Marketing communications require separate explicit consent. Transactional emails (account-related) are sent under implied consent.
• Every marketing email includes a one-click unsubscribe mechanism.
• Manage your communication preferences at any time. Manage CASL preferences

We are reviewing additional protections for Quebec subscribers under Quebec’s Act respecting the protection of personal information in the private sector.

• A designated privacy officer will oversee all personal information handling.
• Privacy impact assessments will be conducted for new features that process personal information.
• Consent management is being enhanced to meet Law 25’s requirements for Quebec residents.
• Data export is available to support portability rights.