Platform notice: TASC (The Autonomous Safety Company) operates under Polsia's terms and conditions and uses Polsia's infrastructure and systems for application hosting, data storage, and operational services. By using TASC, you also agree to Polsia's applicable platform terms.

Transparency

Data & Privacy

How TASC stores, protects, and handles your data. We believe in full transparency — no jargon, no surprises.

Last updated: March 2026

Where your data lives

TASC uses best-in-class infrastructure providers. Here is a full breakdown of every layer and where data is physically stored:

Layer	Provider	Region	What it stores
Primary Database	Neon (PostgreSQL)	US (AWS us-east)	All employer and worker data, assessment results, survey responses, site configurations
Application Hosting	Render	US (Oregon)	Application code and runtime — no persistent data stored here
File Storage	Cloudflare R2	US	Uploaded media and documents (QR code assets, exported reports)
Email Delivery	Postmark	US	Transactional emails (login links, notifications) — no email content persisted

Storage Roadmap

All production data is currently stored in US-based infrastructure. We are actively planning Canadian and UK data residency options for regulated industries in those jurisdictions. If regional storage is a hard requirement for your organization, please contact us before onboarding.

Encryption

All data is encrypted at every stage — in transit and at rest:

In transit: All communication between your browser, the TASC app, and our servers is encrypted using TLS 1.2+ (HTTPS everywhere, enforced by Render).
At rest: Neon PostgreSQL encrypts all data at rest using AES-256. Cloudflare R2 applies AES-256 encryption to all stored objects.
Sensitive tokens: OAuth tokens and integration credentials are encrypted with AES-256-GCM at the application layer before being stored in the database — encrypted twice total.
Passwords: TASC uses passwordless authentication (magic links). No passwords are ever stored or transmitted.

Anonymous worker data

✓ Workers are never identified

Workers who complete assessments or surveys via QR code are fully anonymous by default. No name, email, device ID, or IP address is stored against their result. Employers see only aggregate scores and trends — never individual worker data.

When a worker opts into Account Mode (optional), they create a voluntary account linked to their own device. Even then, employers cannot access raw individual results — only aggregate readiness trends for their site and shift.

Employer and team member data

For employer accounts and team members (supervisors, admins, HSE professionals), TASC stores:

Name and email address (for login and account management)
Role and site assignments
Actions, observations, and audit records created by that user
Session activity logs (for security auditing)

This data is stored in your organization's tenant partition in our database. It is isolated from other organizations and never shared with third parties for commercial purposes.

Privacy-by-design principles

Data minimization: We only collect data that is necessary to deliver the TASC service. No tracking pixels, no behavioral profiling, no ad networks.
Anonymization by default: Worker assessments and surveys are anonymous unless the worker explicitly creates an account.
No raw individual data to employers: Employers never see individual worker results — only aggregates that meet a minimum response threshold (10+ responses before scores are shown).
No data selling: We do not sell, rent, or trade your data with third parties — ever.
Retention controls: Organizations can request full data deletion at any time by contacting support.
Separation of duties: Application code and databases run under separate access controls. Engineers cannot access production data without a formal escalation process.

Applicable privacy frameworks

TASC is designed to comply with the following privacy frameworks:

🇨🇦 PIPEDA (Canada)

Canada's Personal Information Protection and Electronic Documents Act governs how organizations collect, use, and disclose personal information in the course of commercial activity. TASC's anonymization model, consent-based Account Mode, and data minimization practices align with PIPEDA principles.

🇪🇺 GDPR (European Union)

TASC's worker data model collects no personal data without consent. Employer accounts can request data exports and deletion under GDPR Articles 15–17. Note: production data currently resides in US-based infrastructure — organizations with strict EU data residency requirements should contact us before onboarding.

🇺🇸 CCPA (California)

California residents have the right to know what personal data is collected, to request deletion, and to opt out of data sales. TASC does not sell personal data. California users may submit data requests via the contact details below.

Compliance & certifications

Transparency note on SOC 2

TASC does not currently hold an independent SOC 2 Type II certification. We are an early-stage platform built on enterprise-grade infrastructure (Neon, Render, Cloudflare) that each maintain their own compliance certifications. A formal third-party SOC 2 audit is on our roadmap as we scale. We will communicate the timeline to our customers when it is confirmed.

Our infrastructure providers maintain the following certifications:

Neon (database): SOC 2 Type II compliant. Data encrypted at rest and in transit. Hosted on AWS with enterprise SLAs.
Render (hosting): SOC 2 Type II compliant. TLS enforced. DDoS protection via Cloudflare.
Cloudflare R2 (storage): ISO 27001 certified. AES-256 encryption. Global edge network.
Postmark (email): SOC 2 Type II compliant. Email sent over TLS.

Questions or data requests

The data controller responsible for personal information collected through the TASC platform is:

The Autonomous Safety Company Inc.
Ontario Corporation No. 1001568154
Incorporated in Ontario, Canada

For data access requests, deletion requests, or privacy questions:

Email: the-autonomous-safety-company-tasc@polsia.app
Response time: within 5 business days for standard requests, 30 days for complex regulatory requests