Data-Flow Matrix
Last Updated: May 4, 2026
Purpose
Shows users and regulators exactly where their data goes, per AI provider and third-party service. The public version is user-friendly; the internal version feeds the PIA.
Public Data-Flow Matrix (User-Facing)
| When You... | Data Sent | Where It Goes | Retained By Provider? | Used for Training? |
|---|---|---|---|---|
| Chat with an OpenAI model | Your messages (PII-stripped if Shield enabled) | US and other Azure/OpenAI capacity regions | Up to 30 days (abuse monitoring) | No (API default) |
| Chat with an Anthropic model | Your messages (PII-stripped if Shield enabled) | Azure US East / EU Sweden | Per DPA (safety monitoring) | No (contractual) |
| Chat with a Google model | Your messages (PII-stripped if Shield enabled) | US and other Google facility regions | "Limited period" (safety) | No (paid API) |
| Chat with a private inference model | Your messages | Canada (infrastructure controlled by Rideau AI) | No, never leaves our infrastructure | No (self-hosted, no third party) |
| Chat with a Cohere model | Your messages (PII-stripped if Shield enabled) | US (Cohere SaaS Platform) | Up to 30 days (safety/compliance) | No (opted out) |
| Use web search | Search query + your country (AI-generated; PII-stripped if Shield enabled) | US (Tavily) | Not saved (opt-out enabled) | No |
| Upload a file | Document content for text extraction | Canada (Azure, private endpoint) | No | No |
| Make a payment | Card info (tokenized by Stripe) | US (Stripe) | PCI DSS retention | No |
| Log in via magic link | Your email address | US (Postmark) | 45 days (delivery logs) | No |
What Stays in Canada
- Your encrypted conversations and files (ALE: our cloud infrastructure provider cannot read them and does not have access to the encryption keys)
- Your account information
- Your usage history
What Never Leaves Your Browser
- Your decrypted conversation content (ALE-in-Transit protects against TLS termination)
- Your passwords (we don't use passwords)