01
Data residency — default Canadian
Customer data (personas, transcripts, verdicts, CPD certificates) lives in ca-central-1. LLM inference defaults to Canadian-region models. Cross-region use requires explicit per-firm opt-in with audit trail.
Built for a regulated profession.
Treated like an auditable one.
RCICs carry CICC obligations on client data long after the file closes. DOSSIAR is engineered so your practice-ground never becomes a compliance problem.
CICC-aware
Built against CICC practice rules
PIPEDA-compliant
Consent, access, retention
ca-central-1
Canadian data residency · default
SOC 2 · in progress
Type I scheduled Q3 2026
02
Encryption
TLS 1.3 in flight. AES-256 at rest for Postgres, object storage, and backups. Per-tenant encryption keys wrapped by a regional KMS. Secrets rotate on 90-day cadence.
03
Tenant isolation
Every table with firm-scoped data carries a firm_id. Postgres Row-Level Security policies check auth.jwt() -> 'firm_id' on every query. We test cross-tenant denial on every deploy across API, tRPC, search, and audit log.
04
Audit log — append-only
Every verdict, every transcript, every CPD entry is written to an append-only audit log partitioned by month. UPDATE and DELETE are denied at the database level. 7+10 year retention (matches CICC minimum).
05
Role-based access
Roles: owner, senior RCIC, junior RCIC, admin, read-only observer. Each has explicit scope over scenarios, CPD, billing, and member management. Scope changes are audit-logged.
06
No real IRCC data — pledge
DOSSIAR personas are AI-generated. You cannot paste a real client into the simulator. Our Terms forbid it; uploads are scanned for real-PII signals (UCI, IMM-#### form numbers, passport MRZ) and refused with a warning.
Documents you can request
We share under NDA for firm + institutional prospects in active evaluation.
- Request →
Privacy Impact Assessment (PIA)
PIPEDA scoping; updated quarterly
- Request →
Data Processing Agreement template
DPA for firm + school contracts
- Request →
RLS + tenancy test suite report
Per-deploy cross-tenant denial attestation
- Request →
Incident response policy
P1/P2/P3 runbook with SLAs
- Request →
Sub-processor list
LLM providers, hosting, analytics
Report a vulnerability
We triage in 48 hours. Email security@dossiar.com with a concise report and PoC. We coordinate disclosure and credit every confirmed reporter. See our privacy policy for the full data-handling picture.
Build the reps now.
Ship stronger applications forever.
Cohort #1 is onboarding now. 50 seats. 14-day free trial for every invite. No credit card upfront.