Data Handling & Security

Elevate Compliance is a software platform for commercial property compliance operations. It helps customers track property records, fire/elevator/HVAC equipment and inspections, vendor assignments, uploaded documents and certificates, greenhouse gas and energy reporting records, gap reports, reminders, and audit-readiness workflows.

The product is designed to organize customer data by organization so each customer can manage its own properties, users, vendors, documents, and compliance workflow records.

Elevate does not currently claim:

• SOC 2 certification or SOC 2 compliance;
• Canadian data residency;
• regulator approval;
• enterprise-grade compliance status;
• certification of legal, regulatory, fire, elevator, HVAC, greenhouse gas, energy, building-code, insurance, lender, or operational compliance;
• that uploaded documents are legally sufficient;
• that reports or audit packs will be accepted by any regulator, insurer, lender, owner, tenant, or other third party.

Any future claims about certifications, hosting regions, controls, audits, penetration tests, or compliance posture will be verified before publication.

Elevate is designed around organization-scoped access. Users see data only for organizations where they are authorized members.

Customer records — properties, equipment, inspections, certificates, vendors, property-vendor assignments, and greenhouse gas reports — are scoped to the customer’s organization. Users cannot access another customer’s records through the application.

The platform uses Supabase Auth for authentication. Authentication is required before a user can access private application areas, organization data, or private customer documents.

The platform uses Supabase / PostgreSQL row-level security (RLS) for tenant-scoped tables. RLS restricts database access by organization membership and prevents cross-organization access. Server-side routes additionally validate user-supplied IDs and same-property relationships before insert or update, rejected or superseded documents are not counted as valid proof, and service-role credentials are not exposed to client-side code.

Customer documents are stored in private storage. Access to uploaded documents occurs through authenticated workflows and time-limited signed URLs.

Documents may include sensitive property, vendor, inspection, insurance, license, greenhouse gas, or energy reporting information. They are not made public by default.

Elevate personnel and contractors treat customer documents as confidential. Customer documents are accessed only when needed for support, troubleshooting, security, customer-authorized review assistance, migration, or other agreed services.

Customer documents are not manually moved into unapproved tools, personal accounts, unsecured folders, or unmanaged communication channels.

Elevate operates a least-privilege internal access model. Internal access to customer data is limited to personnel or contractors who need access for a legitimate business purpose. Access is granted on approval, removed on offboarding, and covered by confidentiality obligations.

Elevate Compliance uses OpenAI API services for AI-assisted document date and field extraction. AI-assisted outputs are suggestions and must be reviewed and confirmed by a human before they become saved records.

AI processing is disclosed in the Privacy Policy before customer documents are processed. AI output is not described as compliance certification, regulatory approval, legal advice, engineering advice, or a guarantee.

Elevate relies on Supabase’s managed backup capabilities for database records and uploaded documents. Backup frequency, retention, and restore behavior follow the Supabase service plan in use. Customers requiring specific backup or recovery commitments should contact info@elevatefacilityservices.ca.

Elevate maintains a security incident response process for suspected unauthorized access, data exposure, credential compromise, service abuse, or provider incidents. The process covers internal reporting, triage and severity assessment, containment, evidence preservation, customer notification, and post-incident review.

Customers may request data export or deletion, subject to contract terms, legal retention obligations, backup retention, billing record retention, security logs, and technical limitations. Customers can also delete individual uploaded documents and certificates from inside the application; demo documents are managed by the demo reset flow and cannot be deleted manually.

Account-level export and deletion requests may be sent to info@elevatefacilityservices.ca.

Planned or potential improvements include:

• audit logs for important user and document actions;
• stronger role-based access control for organization administrators, property managers, and read-only users;
• single sign-on later if customer demand justifies it;
• formal penetration testing later, before larger or higher-risk customer deployments;
• SOC 2 later only if customer demand and company maturity justify it.

These are not current claims. They will not be represented as implemented until they are built, tested, and approved for external communication.

Customers remain responsible for:

• managing authorized users and removing access when no longer needed;
• verifying uploaded documents and extracted metadata;
• maintaining any external records required by law, regulators, insurers, lenders, owners, or internal policy;
• consulting qualified professionals for legal, regulatory, engineering, fire-safety, elevator, HVAC, greenhouse gas, energy, insurance, lender, or other advice;
• using strong internal practices for sensitive property and vendor information.

Security questions or vulnerability reports may be sent to:

Elevate Facility Services Ltd
250-997 Seymour Street
Vancouver, British Columbia V6B 3M1
info@elevatefacilityservices.ca

See also: /subprocessors for a list of third-party providers, /privacy for the Privacy Policy summary, and /legal for the Legal Disclaimer.