Looking for the mechanics — flow diagrams, encryption, retention jobs?
This page covers standards. The companion page covers how data actually moves: call flow, encryption details, retention jobs, deletion scripts, sub-processors.
Standards & Certifications
Compliance at a Glance.
The honest version. A clear breakdown of what iHospitality Inc. directly complies with, what we inherit from infrastructure providers, and — maybe most importantly — what we do not claim. No green-check walls. If a regulation isn't on the list, we don't pretend we meet it.
1. Standards we directly comply with iHospitality Inc. as the controller
Canadian private-sector laws that apply to iHospitality Inc. as a collector and processor of personal information. We are directly regulated by these and speak to compliance on our own behalf.
| Standard | Scope | How we meet it |
|---|---|---|
| PIPEDA | Federal Canadian privacy law — all personal information we collect | Principle-by-principle mapping in our Privacy Policy §12; verified-intake access/correction/deletion/withdrawal via the privacy request form; 30-day response SLA |
| PIPEDA BSBS Regulations | Breach of Security Safeguards — notification duties | Internal breach log; OPC-reporting process documented in Privacy Policy §13 |
| Quebec Law 25 | Act respecting the protection of personal information in the private sector — Quebec residents | Bilingual (EN/FR) consent at start of call; designated Privacy Officer; heightened consent for minors under 14; 30-day SLA |
| CASL | Canada's Anti-Spam Legislation — outbound commercial electronic messages | Consent capture on voice + chat + form; STOP handler on every outbound SMS; per-call consent text versioned on the call record |
2. Technical safeguards summary only — mechanics in Data Handling
What we run on our own infrastructure. One-line summary; the Data Handling Guide covers implementation detail.
- TLS 1.2+ in transit, AES-256 at rest
- Canadian primary infrastructure (VPS in Canada; Twilio routed via Canadian PoPs)
- Per-tenant logical isolation — cross-tenant access is not a code path that exists
- Audit-logged deletion — scripted, timestamped, operator-attributed, supports dry-run
- Per-call consent trail — exact consent text in force at call time is stored with the record
- Automated retention enforcement — weekly jobs purge transcripts, anonymize metadata, delete recordings
3. Certifications inherited from our processors we rely on, we don't own
We don't hold these certifications ourselves — our processors do, for the parts of the stack they operate. Marketing should read "built on SOC 2 Type II infrastructure," not "SOC 2 certified."
| Provider | Role | Their certification |
|---|---|---|
| Twilio | Call routing & telephony | SOC 2 Type II · ISO 27001 · Canadian PoPs |
| Airtable | Business data storage | SOC 2 Type II · AES-256 at rest |
| Stripe | Payments & subscriptions | PCI-DSS Level 1 |
| Hostinger | VPS hosting & transactional email | ISO 27001 |
| Anthropic | Claude AI model | Zero-retention API · no training on inputs |
4. What we do not claim honesty beats a wall of green checks
If a standard is on this list, don't take our word that we meet it — we haven't done the work. If you need it for a contract, ask.
| Standard | Status | Why not |
|---|---|---|
| SOC 2 Type II ✗ (our own audit) |
Not held | Our infrastructure partners hold SOC 2 Type II. We don't have an independent audit of iHospitality Inc.'s own controls. Useful at enterprise scale; uneconomic at SMB. |
| ISO 27001 ✗ (our own) |
Not held | Same reasoning — Hostinger's hosting is ISO 27001; our own operations are not independently certified. |
| HIPAA ✗ | Not applicable | HIPAA is U.S. law. We serve Canadian businesses under PIPEDA and Quebec Law 25. We do not accept U.S. PHI and do not market as HIPAA-compliant. |
| PHIPA — (supportive, not regulated) |
Shared responsibility | Ontario's PHIPA regulates health information custodians (clinics, physicians, labs). A clinic using us is the custodian; we act as their agent. Our PIPEDA-grade controls support a custodian's PHIPA program. |
| GDPR ✗ | Not targeting EU | We don't market to EU residents. EU-based sign-ups may have service limited — contact us via the privacy request form. |
| CCPA / CPRA ✗ | Not serving California consumers | We target Canadian businesses and their Canadian customers. California consumer-rights requests are not supported. |
Why spell out what we don't have?
A "green-check wall" of acronyms often conceals more than it reveals. If a claim is material to your buying decision — e.g., you need SOC 2 to ship us through vendor review — we'd rather you know now than discover the gap in procurement. For specific compliance needs or enterprise assessments, submit a question via the privacy request form.
5. How often we review this
Compliance claims drift over time. Our cadence:
- Every 6 months: full review — claims re-verified, expired certifications removed, new ones added
- On any material change: new processor, new data category, major architectural change — immediate update
- Public change log: the "Last reviewed" date above is the source of truth; if it's older than 9 months, escalate