Enterprise-Grade Security by Design
Every architectural decision we make is driven by one principle: your data belongs to you, and only you.
Data Architecture
Tier 1 — Managed Cloud
Your documents are ingested into a dedicated, isolated Google Cloud project managed by Utmost AI. Document content is vectorized and stored in a private Vertex AI Vector Search index. Raw document files are deleted from our processing pipeline immediately after embedding generation. Your index is logically isolated — no data is co-mingled with other clients. Our team has access only to index metadata (query counts, document counts) and system logs. We cannot read your document content.
Tier 2 — Enterprise Zero-Trust (BYOC)
The entire system is deployed inside your own Google Cloud account. You own the GCP project, the billing account, and all resources. Our engineers are granted temporary IAM roles during the build phase only. Upon delivery and your sign-off, you revoke all Utmost AI IAM access. From that point, we have zero operational access to your infrastructure — contractually and technically.
Canadian Data Residency
All infrastructure in Canada
Every component of your system — Vector Search indexes, Cloud Run services, Cloud Storage buckets, and Dialogflow CX agents — is provisioned exclusively in Canadian GCP regions. Tier 1 deployments use northamerica-northeast1 (Montréal). Tier 2 deployments can use northamerica-northeast1 (Montréal), northamerica-northeast2 (Toronto), or both for redundancy, per your preference.
Government of Canada Trust Level
Google Cloud's Canadian regions are the same infrastructure trusted by federal and provincial government agencies across Canada. The platform carries FedRAMP certification (US equivalent) and meets Government of Canada Protected B workload requirements.
No Public Model Training
Your data never touches a training pipeline
Google Cloud Vertex AI is an enterprise API service. Unlike consumer-facing AI tools, Vertex AI does not use customer data to train or improve its foundation models. This is a contractual guarantee in Google's enterprise terms of service. Your proprietary documents — product manuals, lease agreements, internal knowledge bases — are never submitted to any public model training data pipeline, either by Google or by Utmost AI.
CMEK — Customer-Managed Encryption Keys
Available on Tier 2 (Enterprise)
Customer-Managed Encryption Keys (CMEK) allow your organization to hold master control over the encryption of all data at rest. With CMEK, your own Cloud KMS key ring encrypts all Vertex AI indexes, Cloud Storage buckets, and Cloud SQL instances. If you revoke the key, all data is cryptographically inaccessible — by anyone, including Google. This is the highest level of data sovereignty available on any public cloud.
Zero-Touch Post-Deployment
Complete IAM access revocation
For Tier 2 clients, our standard engagement explicitly documents the IAM revocation step as a formal project milestone. After your system is live and you have been trained on the admin console, you revoke our service account access. We provide a documented runbook for ongoing system administration. From that point forward, we are a retained consulting firm — not an operator of your infrastructure.
PIPEDA Compliance
Canadian federal privacy law
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal private-sector privacy law. Our data processing agreement (DPA) explicitly covers how we collect, process, and protect any personal information that may appear in your documents. Key provisions: data minimization (we collect only what's needed to build your index), explicit consent documentation, breach notification procedures (72-hour reporting), and cross-border transfer restrictions (all data stays in Canada).
Questions about compliance for your specific industry?
Our engineering team is happy to walk you through exactly how your data would be handled.