Security & privacy, explained

Version 1.0. Last reviewed 2026-06-14. Archevi Technologies Inc., Hamilton, Ontario, Canada.

This document explains, in plain language, how Archevi protects your family's documents: where your data lives, how the AI answers questions without seeing your real information, who else ever touches your data, and what we commit to if something goes wrong.

Canada

Where your data lives

Stored in the Toronto region

AES-256

Encryption at rest

TLS 1.3 in transit

Never

Used to train AI

On your documents

Executive summary

Archevi is a Canadian family-document vault. You upload the documents your family actually uses, like insurance policies, tax records, and medical forms, and ask questions about them in plain English.

What this means for your family

Your documents are stored encrypted on Canadian servers. The AI that answers your questions never sees your real names or personal details. You own your data, and we never sell it or use it to train AI. Every family member gets their own login.

The rest of this document is the detail behind those promises. A non-technical reader can stop here and have the full picture. A reviewer, an insurer, or a careful parent can keep reading.

Where your data lives

Your files, the database that organizes them, and every backup stay on encrypted servers in Canada, in the Toronto region. This is a deliberate choice, not an accident of where a cloud happened to put us.

Stored in Canada

Documents, search data, and backups all stay in the Toronto region.

No US CLOUD Act exposure

A United States subpoena cannot compel data held in Canada. Your records are governed by Canadian law.

PIPEDA-aligned by design

Built against Canada's federal privacy principles from the start, not added afterward.

The only information that ever crosses that Canadian boundary is the short list of services below, and for the AI services that help with search and answers, what crosses is never your real data. It is the stand-ins described next.

How the AI answers without ever seeing your family

A family member types "when does our home insurance expire?" and gets the date back in seconds, with the exact page cited. The AI that helped find that answer never learned your name, your insurer, or your policy number. This section explains how that is possible.

Your documents stay put. Only stand-ins travel.

Your files live encrypted on Canadian servers. They do not get shipped off to an AI company. When a question needs AI to help, Archevi does something different: it finds every personal detail in the text and swaps it for a realistic stand-in before anything leaves our servers. The AI reasons over the stand-ins. We put your real details back into the answer before it reaches your screen. We call this boundary anonymization, because the swap happens at the boundary between our systems and any outside service.

The short version

The AI helps answer your question using fake names that stand in for the real ones. Your actual names, numbers, and documents never leave our Canadian servers.

What the AI actually receives

Here is what happens when you ask a question that mentions real people.

You ask

"What did John Smith say about the Apple stock?"

Archevi finds the personal details

It detects John Smith as a person and Apple as an organization, right here on our servers.

The AI receives stand-ins

The AI sees "What did Alex Johnson say about TechCorp Alpha stock?" It answers using those stand-ins. It never knew the real names.

You see the real answer

We swap the real names back in before you read it: "John Smith mentioned a positive outlook on Apple."

The AI did its job without ever knowing who or what you were asking about.

Two kinds of sensitive information, two defences

Not everything should be handled the same way. Some details can be swapped for a stand-in so the AI can still reason about them. Others are too sensitive to send anywhere, even disguised.

These are swapped for realistic fakes so the AI can still understand the question:

Names (John Smith becomes Alex Johnson)
Email addresses
Phone numbers
Locations
Organizations

Built on a recognised standard

The detection is powered by Microsoft Presidio, a widely used tool for finding personal information in text, with a fast pattern check running alongside it to catch the highest-risk identifiers instantly. We did not invent our own secret method. We built on an open standard that the wider security community can inspect.

Your documents never train anyone's AI

Never trained on. Two reasons it holds.

The AI services we use are contractually committed not to train on customer data. We go one step further: they only ever receive stand-ins. So even in a worst case where a promise was broken, there would be nothing identifiable to train on.

Honest about the limits

Automated detection is very good, and it keeps getting better. It is not flawless, and we will not pretend otherwise. That is exactly why the most sensitive identifiers, like Social Insurance Numbers and credit card numbers, are blocked outright rather than swapped. We do not want your most critical numbers to depend on a stand-in being convincing. They simply never leave.

The trade-off we chose

Swapping personal details in and out adds a second or two to every question. We think a small wait is worth it so that your family's real information stays on Canadian servers. We would rather be honest about that cost than promise instant magic.

Every conversation is sealed off

Each conversation keeps its own private mapping between your real details and the stand-ins that represent them. That mapping is never shared between conversations, and never between families. When you close a conversation, the link between the stand-ins and your real data does not follow you anywhere.

Who else touches your data

Archevi runs on as few outside services as possible, and the ones we use see as little as possible. Your documents, your database, and your backups all live in Canada. The table below is the complete list of outside companies that ever process any part of your information, what they do, and exactly what they receive.

Service	What it does for you	What it receives	Trains on your data?
DigitalOcean	Hosts the app and stores your files	Your documents and account data, encrypted at rest, in their Toronto region	No
Cohere (a Canadian company)	Finds the right documents when you search or ask	Anonymized stand-ins only, never your real names or details	No. SOC 2 Type II audited
Groq	Writes the answer to your question	Anonymized stand-ins only, never your real names or details	No, and nothing is kept after the answer is generated
Stripe	Handles payments and subscriptions	Your name, email, and billing details. Full card numbers go straight to Stripe and never reach us	No. PCI-DSS Level 1
Resend	Sends account, security, and notification email	Your email address and the contents of that message	No
Cloudflare	Blocks bots, routes our domain, and forwards mail to your vault	Connection-level data, plus any message and attachments you forward to your vault address	No

What we run ourselves, so no outside company sees it

Several jobs that many companies hand to third parties, we run on our own Canadian servers instead:

Removing personal details before AI, built on Microsoft Presidio
Scanning every upload for malware
Product analytics, self-hosted and privacy-friendly
Support tickets, on our own help desk

And one job happens entirely on your own device. Reading answers aloud uses your browser's built-in voice. The text is spoken right on your phone or computer. It is never sent to us or to any outside service.

When this list changes

We update this page before we add a new service that would handle your data.

Encryption and access

Protection runs from the moment you log in to the moment your file is stored.

Encryption everywhere

AES-256 on data at rest. TLS 1.3 on data in transit. No unencrypted data at any layer.

Passwordless sign-in

Support for passkeys (WebAuthn), which are resistant to phishing by design, plus two-factor authentication with backup codes.

Family isolation

Each family operates in its own separate partition, enforced at the database layer. There is no path for one family to reach another's data.

A few more controls that matter:

Refresh tokens are single-use and rotate on every request, so a stolen token expires immediately
You can review and instantly revoke any device that has access
Access within a family is role-based, so adults, teens, and children each see what is right for them
No person reads your document contents. Processing for search and indexing is automated, and internal access is limited to what is needed to keep the service running

Keeping the platform safe

Every file is checked automatically before it enters your vault. These checks are automated and do not involve a person reading your documents.

Malware scanning

Every upload is scanned by ClamAV before processing. Infected files are quarantined and never reach your vault or the AI.

Protecting children

Each file's digital fingerprint is checked against databases maintained by child-protection organizations. We share fingerprints, never your file contents, and act on confirmed matches as the law requires.

Hourly backups

Your data is backed up hourly to encrypted storage, with the same encryption as your primary data.

How long we keep things

Your data follows a clear path from upload to deletion. We keep as little as we need, for as long as we need it.

While your account is active

Your documents and their extracted details stay available to you and the family members you have shared with.

Backups

Encrypted backups are taken hourly and kept on a rolling 30-day window, so we can recover from an incident without holding your data indefinitely.

When you delete your account

Your documents, conversation history, and the stand-in mappings are permanently removed. We keep only anonymized billing records, and only where the law requires.

We also keep operational logs to run the service safely and to investigate problems. They are kept for a limited period, rotated automatically, and are not used to build a profile of you.

What we defend against

Being honest about security means being clear about what is in scope and what is not. No system protects against everything, and we will not imply otherwise.

We defend against

One family reaching another family's data
Your real information being exposed to an AI provider
Malicious files entering your vault
Someone taking over your account

Outside our control

A device of yours that is already compromised
You choosing to share your own password or invite link
The security of a third party you forward documents from

If something goes wrong

Our breach commitment

If a security breach ever creates a real risk of significant harm to you, we will notify you and the Office of the Privacy Commissioner of Canada as soon as feasible, as required under PIPEDA. We will tell you what happened, what was affected, and what you can do.

Reporting a security issue

If you are a security researcher and you find a vulnerability, we want to hear from you.

Responsible disclosure

Email [email protected] with the details. We will not pursue legal action against good-faith research that respects our users' privacy and avoids disrupting the service. Please give us reasonable time to fix an issue before disclosing it publicly.

Standards and compliance

We are honest about where we stand. Archevi is built against PIPEDA and GDPR data-protection principles: consent, purpose limitation, safeguards, access, and accountability.

We are a Canadian product built for families, and we self-attest to these practices rather than carrying a formal enterprise audit today. We think that is the right call for a consumer product at our stage, and we would pursue a formal audit such as SOC 2 if we began serving business partners who need it. Where it helps, we inherit controls from our providers. For example, Cohere, which powers our search, is SOC 2 Type II audited.