Security and hosting in Quebec

Where your data lives, how it's encrypted, and what that means for Law 25 compliance.

Last updated: June 2, 2026

CondoAide is built for Quebec condo associations. This page explains where your data lives, how it's protected, and what that means for your association's compliance with Quebec Law 25. It complements our Privacy Policy, which contains the detailed legal commitments.

1. Where your data lives

All infrastructure that processes or stores your association's data is located in Quebec:

  • Web application: served by Vercel from the Montreal (yul1) region.
  • Database and stored files: Supabase, ca-central-1 (Montreal) region.
  • Primary backups: kept in Quebec, in Montreal.
  • Secondary backups: kept in Quebec, in Beauharnois, with a separate provider.
  • Your condo association data (registry, finances, documents, communications, minutes) is not transferred outside Canada in normal operation of the service. Limited exceptions (subscription payments via Stripe, explicitly opt-in AI features) are described in section 6 below and in section 9 of the Privacy Policy.

2. Encryption

Encryption happens at several levels, each with a specific role:

  • Data at rest AES-256 on the database, backups and stored files. Managed by the underlying infrastructure (AWS, which hosts Supabase's ca-central-1 region).
  • Data in transit TLS 1.3 between your browser, our application and our internal services.
  • Passwords Hashed with bcrypt. Hashing is one-way — your passwords are never stored in plain text, never reversible, and no one at CondoAide (including administrators) can read them. This is intentional and is the correct practice.
  • Authentication tokens (JWT) Cryptographically signed with HMAC-SHA256. The signature guarantees a token cannot be tampered with without detection.

3. Quebec Law 25 compliance

Since 2023, Quebec Law 25 (An Act to modernize legislative provisions as regards the protection of personal information) places direct obligations on condo associations, which are responsible for the personal information of their unit owners. CondoAide is designed to help you meet these obligations without extra paperwork:

  • Designated Privacy Officer publicly named at CondoAide — see section 7 of our Privacy Policy.
  • Internal incident registry maintained, with a commitment to notify Quebec's Commission d'accès à l'information within 72 hours of confirming a risk-bearing incident.
  • Data retention and destruction policy with specific timelines per data category — see section 5 of our Privacy Policy.
  • Right of access and rectification: each unit owner can view and correct their personal information through the platform or by contacting the Privacy Officer.
  • Hosted in Quebec: no Privacy Impact Assessment (PIA) related to cross-border transfer is required for your normal use of CondoAide.

4. Access and audit logging

Access to your association's data is strictly controlled:

  • Granular permissions: board administrators, unit owners and residents have distinct access levels defined by your declaration of co-ownership.
  • Strong authentication: two-factor authentication (2FA) is available for all accounts.
  • Audit log: every sensitive action (viewing financial documents, modifying the registry, generating certificates) is logged and timestamped.
  • CondoAide staff access: limited to people with a specific operational need (technical support, troubleshooting), logged, and subject to confidentiality agreements.

5. Backups and business continuity

Your association cannot afford to lose its registry, minutes or maintenance log. Our backup strategy follows the industry standard 3-2-1 principle (three copies, two media, one offsite):

  • Supabase backups: point-in-time recovery over 7 days plus daily snapshots.
  • Additional backups in Quebec — Montreal: database backups every 4 hours and storage files daily, kept 30 days.
  • Additional backups in Quebec — Beauharnois: daily mirror copy at a second distinct Quebec provider, for geographic resilience.
  • Automated weekly restore test: the most recent backup is restored to an isolated test environment every Tuesday, continuously validating that our backups are actually usable (not just present).

6. Sub-processors

CondoAide relies on a small number of specialized providers. All are contractually bound to comply with applicable Canadian and Quebec laws. For the main sub-processors:

  • Vercel Hosting of the web application, Montreal (yul1) region. SOC 2 Type 2 certified.
  • Supabase PostgreSQL database, authentication, file storage. ca-central-1 (Montreal) region. SOC 2 Type 2 certified.
  • Stripe Two uses: (1) payment of your CondoAide subscription (credit card, PAD) and (2) automatic condo-fee collection by pre-authorized debit (PAD/ACSS) — the banking information of co-owners who enable the debit is processed by Stripe, which then deposits the funds directly into the syndicate's account (Stripe Payments Canada, Ltd., operating under Payments Canada rules). SOC 2 Type 2 and PCI DSS Level 1 certified. Data processed in the United States, covered by a Data Processing Agreement (DPA).
  • Brevo Sending of transactional emails (confirmations, reminders). European company, data covered by a GDPR-compliant DPA.
  • OpenAI and Anthropic AI models used only for opt-in AI features (Law 16 assistant, insurance policy extraction). No data is sent to these providers if you do not enable these features. See section 9 of our Privacy Policy.
  • OVHcloud (self-hosted OpenReplay) Hosts our OpenReplay installation: product telemetry and session recording for technical support. Beauharnois (Québec) region. Self-hosted software — no data leaves Québec.
  • OVHcloud (self-hosted GlitchTip) Hosts our GlitchTip installation: tracking of errors, exceptions and application logs. Beauharnois (Québec) region. Self-hosted software — no data leaves Québec.
  • OVHcloud (self-hosted Plausible) Hosts our Plausible installation: cookieless, aggregate web analytics (visitors, pages viewed, traffic sources, city and country) on the public pages of the site. The IP address is used momentarily to determine the city, then immediately discarded; it is never stored. Beauharnois (Québec) region. Self-hosted software — no data leaves Québec.
  • The complete, up-to-date list of sub-processors is in section 3 of our Privacy Policy.

7. Cookies and consent

On your first visit to the public site or to a sign-in page, a banner asks whether you accept product telemetry cookies. If you refuse, no analytics tool is loaded. Strictly necessary cookies (session, security, language) remain active regardless of your choice — they are essential to the operation of the service. Your choice is stored locally (localStorage) and can be changed at any time via the "Reset cookie preferences" link at the bottom of every page.

8. Telemetry and session recording

Our product telemetry and application error tracking are installations we operate ourselves on OVHcloud infrastructure in Montréal. No telemetry or error data leaves Québec.

  • OpenReplay self-hosted on OVHcloud Montréal — product telemetry (usage events) and session recording for technical support.
  • GlitchTip self-hosted on OVHcloud Montréal — captures errors, exceptions and application logs so we can fix bugs and trace incidents.
  • Pseudonymization: the user identifier transmitted is an opaque hash-derived token; never your email, name, or Supabase ID.
  • Aggressive masking (OpenReplay): form fields are masked automatically; screens containing sensitive information (PAD, attestation, registry, financial statements, insurance proofs, compliance, syndicate members, payments) are fully masked.
  • Minimization (GlitchTip): request bodies (form data, authentication headers, cookies) are automatically dropped before storage. Only the exception trace, URL and technical metadata are kept.
  • IP address: not transmitted to OpenReplay or GlitchTip.
  • Retention: 30 days for all flows — events and session recordings on OpenReplay; application logs and error events on GlitchTip. Resolved GlitchTip issue groups are kept 90 days for regression detection.
  • You can disable OpenReplay session recording at any time via Profile → Session recording for support. GlitchTip remains active independently, being strictly necessary for service quality and configured without direct personal information.
  • Aggregate analytics (Plausible). To measure overall traffic on our public pages (visitors, pages, sources, city and country), we use a self-hosted Plausible installation on the same OVHcloud infrastructure in Montréal. Plausible sets no cookies, stores no persistent identifier, and captures no direct personal information. The IP address is used momentarily to determine the city, then immediately discarded; it is never stored. This measurement runs for all visitors regardless of your banner choice, because no personal information is involved. Retention: 24 months. See §3 of our Privacy Policy for details.

9. Questions or complaint

For any question about the security or privacy of your data, or to exercise one of your rights under Law 25:

  • Privacy Officer: Nicolae Racovita
  • Email: privacy@condoaide.ca
  • Mailing address: CondoAide, 4143 chemin Ste-Angélique, Saint-Lazare (Quebec) J7T 2N5, Canada
  • You also have the right to file a complaint with Quebec's Commission d'accès à l'information: cai.gouv.qc.ca.