Trust hub

Compliance by design. Verifiable. Auditable.

tonia is the gated, audited, redacting router for every AI request. Two profiles — Sovereign and Frontier. Everything we claim is documented here.

Article 17

Bill 25 (Quebec)

PIA, Privacy Officer, incident register, cross-border transfers, sanctions at art. 90.12.

Read the section2018

US CLOUD Act

Why Canadian residency does not resolve the jurisdiction question. List of vendors in and out of scope.

Read the sectionMay 6, 2026

CAI investigation on ChatGPT

Four recommendations to OpenAI — consent, transparency, training defaults, retention. Our analysis.

Read the analysis
1 · Bill 25

How tonia meets each obligation.

Canada's Bill 25 (formerly Bill 64) modernised the private-sector Act respecting the protection of personal information. The obligations applicable to tonia are:

Bill 25 obligations and tonia posture
ObligationArticletonia posture
Privacy Officer designatedart. 3.1Yes — contact published in the privacy policy
Incident registerart. 3.8Maintained since incorporation, CAI-ready format
PIA before any cross-border transferart. 173-page template provided to Hybrid clients
Granular consentart. 12Granular in the admin console and in the cookie banner
Right to data portabilityart. 27Structured JSON / CSV export from the admin console
Automated right to be forgottenart. 28.1Automatic cessation of processing once the stated purpose expires

PIA template

Sovereign: one-page PIA — no sensitive data leaves Canada. Hybrid: three-page PIA, signed once by your Privacy Officer.

Sanctions

For an organisation that contravenes Bill 25:

  • Penal sanctions (art. 90.12): up to 25 M CAD or 4 % of worldwide turnover, whichever is greater.
  • Administrative sanctions (art. 90.1): from 10 M CAD or 2 % of worldwide turnover.
  • Civil sanctions: statutory damages of at least 1,000 CAD per affected person, without proof of harm (art. 93.1).
2 · CLOUD Act

Why Canadian residency isn't enough.

The US Clarifying Lawful Overseas Use of Data Act (2018) — the CLOUD Act — compels any company subject to US law to produce data — regardless of where that data is physically stored.

"Azure OpenAI Canada Central" — the illusion

Microsoft servers in Toronto store your data in Canada. Microsoft Corp. (Washington) remains subject to the CLOUD Act. A US subpoena served on Microsoft Corp. compels disclosure of the data — including the bytes physically in Toronto. If the subpoena carries a gag order, Microsoft cannot even tell you.

Vendors subject to the CLOUD Act:

  • OpenAI (Delaware)
  • Anthropic (Delaware)
  • Google / Gemini (Delaware)
  • Microsoft / Azure / Copilot (Washington) — including the Canada Central region
  • AWS / Bedrock (Delaware)

Vendors out of CLOUD Act reach:

  • tonia Local — physical on-site tonia in Canada, no US entity in the data path
  • Mistral (France) — subject to GDPR but out of CLOUD Act reach
  • Cohere (Toronto) — Canadian entity, out of CLOUD Act reach for Canada-hosted inference
3 · Bill 96

French and English.

tonia is bilingual — French and English. All documentation, the admin console, and the user interface are available in both languages. For Québec clients, the French version governs in case of divergence. Contracts with Canadian clients are signed in French, with an English translation provided.

4 · PIPEDA

Canadian federal privacy law.

For clients in Canada outside Québec, tonia complies with the Personal Information Protection and Electronic Documents Act (PIPEDA). Bill 25 compliant — you're already above the federal bar.

5 · Certifications

SOC 2 Type II and ISO 27001 timeline.

Status as of 2026:

  • SOC 2 Type II: in progress, audit scheduled Q3 2026.
  • ISO 27001:2022: in progress, audit scheduled Q4 2026.
  • Bill 25 compliance: by design (see section 1). External validation by a Canadian firm in progress.