AboutCompliance
Home
Solutions
BusinessesSMBs and enterprisesEducationSchools and universitiesInstitutionsPublic sector and NPOsConsumerAI for individuals
Technology
PlatformProductivIA application environmentArchitectureAccess modes, APIs and agentsModelsProprietary and fine-tuned modelsServersSovereign infrastructureDownloadsExtension, Windows, Boréal OS and AndroidLabR&D and experimental projects
Services
About
AboutTeam, mission, visionComplianceData, responsible AI and governancePress roomReleases, announcements and milestonesConfidentialityWebsite confidentiality policyLegalPublisher, hosting, accessibility, Law 25
FR
About
AboutCompliancePress roomConfidentialityLegal
ProductivIA

Compliance, data and responsible AI

policy

ProductivIA is designed to give access to generative AI without giving up data governance. This page explains, first in plain language and then in more detail, how the platform frames hosting, external providers, data, client applications, the OS, security and responsible use.

Compliance checklist

A quick view for executives, IT teams, teachers, businesses and the public.

verified_user

Data under control

Storage by silo, data visible in Cloud, open formats, possible deletion and separation between personal, organizational and application data.

location_on

Canada hosting

Infrastructure in Canada, with more restrictive deployment options for organizations that require a local, institutional or on-site perimeter.

psychology

Sovereign AI first

Matania and local models handle common uses. External providers are mobilized only when the task requires it and when the administrator authorizes them.

admin_panel_settings

Governance by silo

Each organization has its own rules, users, roles, credits, authorized models, active apps and security settings.

history

Traceability

Logins, administrative actions, AI usage, consumption and errors are logged according to context, so audits and continuous improvement remain possible.

accessibility_new

Accessibility

The platform targets WCAG 2.2 level AA and SGQRI 008 3.0 for applicable public or institutional content and interfaces.

school

Education

Guided tools, educational context, usage traces, model control and support for teachers rather than replacement of human judgment.

business_center

Businesses

Access control, separation of spaces, credit-based billing, content confidentiality and data exportability.

groups

Public users

Plain-language commitments: no behavioural advertising, no resale of data, user control and possible deletion.

Compliance position

ProductivIA offers concrete sovereignty: dedicated architecture, administrable settings, audit logs and deployment choices.

AI platform compliance is not only about where servers are located. It rests on several layers: applicable laws, each organization's internal rules, the nature of the data, the providers requested, infrastructure security, permissions, retention, auditability and the way users are guided.

ProductivIA takes a pragmatic approach: clearly explain what is already in place, what depends on the selected configuration, what must be validated in a client context, and what is part of an ongoing process. This page does not replace a legal opinion, a privacy impact assessment or an external audit, but it provides a serious due diligence basis for institutions, businesses, the education sector and individuals.

Reference frameworks used

The rules followed come first from Quebec and Canada, with international alignment when relevant.

balance

Personal information protection

ProductivIA aligns with Quebec Law 25, the Act respecting access to documents held by public bodies and the protection of personal information for public bodies, PIPEDA for Canadian private-sector uses when applicable, and the main GDPR principles for international contexts: purpose, minimization, consent, transparency, security, access, rectification, deletion and portability.

account_balance

AI in public bodies

For Quebec institutions, ProductivIA takes into account the requirements for information resources regarding the use of artificial intelligence by public bodies, Order 2024-01, the statement of principles for responsible AI use by public bodies, Order 2024-02, and the guide to best practices for using generative AI published by the MCN in October 2024.

security

Information security

The platform relies on recognized cybersecurity principles: access control, encryption in transit, logging, segmentation, backups, monitoring, incident management, privilege separation and attack surface reduction.

accessibility_new

Digital accessibility

The target reference is WCAG 2.2 level AA, especially in the SGQRI 008 3.0 context for Quebec public bodies. The goal is for interfaces to remain keyboard-usable, readable, structured, compatible with screen readers and understandable.

Platform and architecture

An application OS in the browser, structured by silos.

ProductivIA works like a complete working environment: desktop, windows, taskbar, notifications, files, apps and shared services. This architecture centralizes security and governance rules at the system level instead of leaving each application to manage its own practices alone.

Each organization can have a distinct silo. A silo contains its users, sessions, contacts, application data, settings, authorized apps, keys, rules and permissions. The separation is physical in how data is organized, not only logical in a shared database.

inventory_2

Extractable data

Data is stored in simple, readable formats, including JSON and SQLite depending on context. The goal is to avoid proprietary lock-in.

folder_managed

Transparent Cloud

The Cloud app makes files and data generated by apps visible when their nature allows it. No hidden storage is a design principle.

hub

Event bus

Apps communicate through the OS, which makes it possible to control exchanges, limit permissions and log relevant actions.

Data and personal information

The rule: collect as little as possible, use only for the requested service, keep it traceable and deletable.

ProductivIA distinguishes several data categories: user account, settings, entered content, imported files, generated documents, conversation history, AI consumption, technical logs, administrative data and app-specific data. These data categories do not all have the same sensitivity or retention period.

data_object

Minimization

The platform avoids asking for information that is not necessary for the service to work. Apps are designed to operate with only the context that is strictly useful.

delete_sweep

Limited retention

Retention policies can vary by client type and contract. The operational goal is to delete or archive what is no longer required.

person_check

Individual rights

The platform is designed to facilitate access, rectification, deletion and export of data when these rights apply.

report

Privacy incidents

An organization must be able to record, analyze and handle incidents. ProductivIA provides a technical logging and alerting foundation that supports this obligation.

External AI providers

ProductivIA is multi-model, but not without governance.

The platform can mobilize several model families: sovereign models, local models, models hosted in Canada when available, and specialized external providers for certain tasks. This capability is useful for quality, cost, resilience and performance, but it must be governed.

By default, the intended approach is simple: use internal or sovereign capabilities first for common tasks, then route to an external provider only if the task justifies it, if the context is appropriate and if the organization's rules allow it. When an external provider is used, ProductivIA requires a clear contractual commitment: no retention of transmitted content beyond processing the request, no model training on that data and no reuse for other purposes.

block

No retention

Our external providers contractually commit not to store transmitted content, not to use it to train their models and not to reuse it beyond processing the request.

toggle_on

Controlled activation

Administrators can authorize, disable or prioritize certain providers and models according to their internal policies.

shield_lock

Sensitive data

Organizations can define stricter rules for sensitive content: restriction to certain models, blocking, anonymization or local routing.

receipt_long

Usage transparency

AI consumption, the model used and costs can be tracked to support audit, budget control and rule improvement.

An important clarification: ProductivIA does not claim that every request always remains in the same place in every mode. If an organization activates an external provider, the request needed for processing may be transmitted to that provider according to the selected settings and applicable terms. In return, the no-retention commitment is contractually documented, audited and renewable. Compliance therefore rests on a combination of configuration, data qualification, consent when required, contractual framing and logging.

Client applications and Fabrique

Apps created by users must remain under governance.

Fabrique makes it possible to generate applications from a natural-language description. This power requires a clear rule: a generated application should not automatically become an official tool for an entire organization without validation. ProductivIA therefore provides a controlled lifecycle.

edit_note

Describe

An authorized user describes the desired app, its purpose, required data and applicable rules.

architecture

Build

Fabrique generates the application, its structure, interface and access to platform services.

policy

Document

The app can include documentation, a functional preview and a description of the data used.

verified

Validate

An administrator checks permissions, data, risks, accessibility, security and business relevance.

monitoring

Monitor

After publication, the app remains observable: errors, usage, AI consumption, stability and unexpected behaviours.

For educational institutions, this cycle helps distinguish pedagogical experimentation, classroom tools, administrative tools and institutional tools. For businesses, it limits the spread of uncontrolled small apps. For institutions, it supports accountability.

OS, workstations and deployments

Three levels of sovereignty make it possible to adapt compliance to the real risk.

ProductivIA can be used in a modern browser, in a dedicated server environment, or in a more sovereign chain that includes Boréal OS. The required level depends on the type of data, legal framework, user profile and organizational requirements.

language

Browser access

The simplest mode: no installation, fast access, centralized updates, compatible with existing workstations.

dns

Dedicated or on-site server

For organizations that want a more controlled perimeter, data and services can be isolated in dedicated or local infrastructure.

devices

Boréal OS

For the most sovereign uses, Boréal OS targets a complete chain: client workstation, server, local AI when possible and reduced proprietary dependencies.

Choosing a mode is not ideological. It should follow risk: public or common educational data, internal business data, personal information, sensitive data, strategic information, institutional records or content subject to specific rules.

Security, auditability and administration

Compliance must be provable.

ProductivIA emphasizes logging, permissions and observability. Administrators must be able to understand who accesses what, which models are used, which apps are active, which costs are incurred and which incidents or errors must be handled.

lock

Access controls

Account-based access, roles, permissions by app, silo administration, restriction of certain features and possible integration with institutional identities depending on the project.

encrypted

Encryption and transport

Public application exchanges use HTTPS/TLS. Encryption-at-rest and secret management requirements are evaluated according to the hosting mode and client context.

monitoring

Monitoring

Application logs, PHP and JavaScript errors, incomplete tasks, AI provider availability, costs and critical events can be tracked in administration interfaces.

fact_check

Audit

Organizations can request logs, usage reports, processing registers, configuration evidence and flow descriptions for their internal reviews.

Education, businesses, institutions, public users

The same foundation, different rules depending on usage.

school

Education

Educational uses require balance: support learning without replacing effort, protect students, guide teachers, document usage rules, avoid unnecessary collection and allow institutions to frame authorized models.

business_center

Businesses

Businesses mainly seek confidentiality, productivity, access control, cost control, absence of proprietary lock-in and the ability to create business apps without losing governance.

account_balance

Institutions

Institutions must document AI projects, qualify data, respect information resource policies, take MCN requirements into account, support privacy impact assessments and ensure decision traceability.

person

Public users

Individuals need a simple promise: understand what is collected, be able to delete their content, avoid behavioural advertising, know when an external provider is used and keep control.

Responsible AI and limits

The human remains responsible for the final decision.

Generative AI models can produce errors, omissions, approximations, bias or plausible but false content. ProductivIA is therefore designed as an assisted production environment, not as an automatic authority.

The recommended rules are:

  • Do not entrust AI alone with a decision that has a significant effect on a person.
  • Validate sensitive legal, medical, financial, educational or administrative content.
  • Avoid entering personal or confidential information into an unauthorized external provider.
  • Document institutional AI uses and expected benefits.
  • Assign a human owner to each automated process.
  • Use sources, templates and internal rules when precision is critical.

Compliance roadmap

Compliance is an ongoing process, not a box checked once and for all.

ProductivIA's operational priorities are:

  • Maintain a register of processing activities and data categories for institutional and corporate offers.
  • Formalize retention periods by data type and client type.
  • Produce privacy impact assessment and documentation templates for public or educational projects.
  • Document flows to external providers, with restriction options by silo.
  • Strengthen sensitive data controls before sending content to an external model.
  • Continue accessibility audits and target WCAG 2.2 AA for applicable interfaces.
  • Consolidate audit logs, administrator reports and incident procedures.
  • Prepare the evidence required for certification or external audit processes when the client context requires it.

Public sources and references

The following references guide updates to this page.

© ProductivIA 2026
info@productivia.ca - 581-504-0294
296, rue Saint-Pierre - Matane, QC G4W 2B9
Confidentiality Policy - Legal information