Security and hosting in Quebec

Where your data lives, how it's encrypted, and what that means for Law 25 compliance.

Last updated: May 12, 2026

CondoAide is built for Quebec condo associations. This page explains where your data lives, how it's protected, and what that means for your association's compliance with Quebec Law 25. It complements our Privacy Policy, which contains the detailed legal commitments.

1. Where your data lives

All infrastructure that processes or stores your association's data is located in Quebec:

Web application: served by Vercel from the Montreal (yul1) region.
Database and stored files: Supabase, ca-central-1 (Montreal) region.
Primary backups: kept in Quebec, in Montreal.
Secondary backups: kept in Quebec, in Beauharnois, with a separate provider.
Your condo association data (registry, finances, documents, communications, minutes) is not transferred outside Canada in normal operation of the service. Limited exceptions (subscription payments via Stripe, explicitly opt-in AI features) are described in section 6 below and in section 9 of the Privacy Policy.

2. Encryption

Encryption happens at several levels, each with a specific role:

Data at rest — AES-256 on the database, backups and stored files. Managed by the underlying infrastructure (AWS, which hosts Supabase's ca-central-1 region).
Data in transit — TLS 1.3 between your browser, our application and our internal services.
Passwords — Hashed with bcrypt. Hashing is one-way — your passwords are never stored in plain text, never reversible, and no one at CondoAide (including administrators) can read them. This is intentional and is the correct practice.
Authentication tokens (JWT) — Cryptographically signed with HMAC-SHA256. The signature guarantees a token cannot be tampered with without detection.

3. Quebec Law 25 compliance

Since 2023, Quebec Law 25 (An Act to modernize legislative provisions as regards the protection of personal information) places direct obligations on condo associations, which are responsible for the personal information of their unit owners. CondoAide is designed to help you meet these obligations without extra paperwork:

Designated Privacy Officer publicly named at CondoAide — see section 7 of our Privacy Policy.
Internal incident registry maintained, with a commitment to notify Quebec's Commission d'accès à l'information within 72 hours of confirming a risk-bearing incident.
Data retention and destruction policy with specific timelines per data category — see section 5 of our Privacy Policy.
Right of access and rectification: each unit owner can view and correct their personal information through the platform or by contacting the Privacy Officer.
Hosted in Quebec: no Privacy Impact Assessment (PIA) related to cross-border transfer is required for your normal use of CondoAide.

4. Access and audit logging

Access to your association's data is strictly controlled:

Granular permissions: board administrators, unit owners and residents have distinct access levels defined by your declaration of co-ownership.
Strong authentication: two-factor authentication (2FA) is available for all accounts.
Audit log: every sensitive action (viewing financial documents, modifying the registry, generating certificates) is logged and timestamped.
CondoAide staff access: limited to people with a specific operational need (technical support, troubleshooting), logged, and subject to confidentiality agreements.

5. Backups and business continuity

Your association cannot afford to lose its registry, minutes or maintenance log. Our backup strategy follows the industry standard 3-2-1 principle (three copies, two media, one offsite):

Supabase backups: point-in-time recovery over 7 days plus daily snapshots.
Additional backups in Quebec — Montreal: database backups every 4 hours and storage files daily, kept 30 days.
Additional backups in Quebec — Beauharnois: daily mirror copy at a second distinct Quebec provider, for geographic resilience.
Automated weekly restore test: the most recent backup is restored to an isolated test environment every Tuesday, continuously validating that our backups are actually usable (not just present).

6. Sub-processors

CondoAide relies on a small number of specialized providers. All are contractually bound to comply with applicable Canadian and Quebec laws. For the main sub-processors:

Vercel — Hosting of the web application, Montreal (yul1) region. SOC 2 Type 2 certified.
Supabase — PostgreSQL database, authentication, file storage. ca-central-1 (Montreal) region. SOC 2 Type 2 certified.
Stripe — Processing of your CondoAide subscription payment (credit card, PAD). SOC 2 Type 2 and PCI DSS Level 1 certified. Data processed in the United States, covered by a Data Processing Agreement (DPA).
Brevo — Sending of transactional emails (confirmations, reminders). European company, data covered by a GDPR-compliant DPA.
OpenAI and Anthropic — AI models used only for opt-in AI features (Law 16 assistant, insurance policy extraction). No data is sent to these providers if you do not enable these features. See section 9 of our Privacy Policy.
The complete, up-to-date list of sub-processors is in section 3 of our Privacy Policy.

7. Questions or complaint

For any question about the security or privacy of your data, or to exercise one of your rights under Law 25:

Privacy Officer: Nicolae Racovita
Email: privacy@condoaide.ca
Mailing address: CondoAide, 4143 chemin Ste-Angélique, Saint-Lazare (Quebec) J7T 2N5, Canada
You also have the right to file a complaint with Quebec's Commission d'accès à l'information: cai.gouv.qc.ca.

CondoAide is a management and information tool. It does not provide professional advice within the meaning of the Engineers Act, the Professional Code, or any other applicable legislation. Consult a qualified professional for any decision regarding your condominium.