Privacy Policy

Beyond IT Inc. ("we") operates the Partner Society Platform — a super-adaptive business platform that combines employee management, partner governance, sealed agreements, AI-powered communication, real-time monitoring, document intelligence, and multi-tier commission networks. This policy applies to all users.

2.1 Personal Information

• Full name and professional email address
• Phone number (verified via SIM and/or SMS)
• Organization name and role/title
• Business address and contact details
• Date of birth (for minimum age verification — 18+ for administrator roles)

2.2 Device & Security Information

• Device type, browser, operating system, screen resolution
• Unique device identifier (Device ID)
• SIM card identifier for device attestation (Android) or Apple device/App Store attestation (iPhone)
• Encrypted authentication keys stored on device
• Timezone and language preferences

2.3 Location Data

• GPS coordinates (collected during login with consent)
• IP address (collected automatically)
• Approximate geographic location derived from IP

2.4 Activity & Audit Data

• Login times and authentication methods
• Platform usage activity and feature access
• Electronic signatures and consent records
• AI calling activity via supported providers (Twilio, Telnyx, Plivo, Vonage, Sinch) — call times, durations, consent records)
• Telephony audit logs (caller ID, recipient, timezone, outcome, consent reference)
• Knowledge Vault activity (documents uploaded, intelligent search queries)
• Observables history (changes detected, alerts sent, document updates triggered)
• Commission and revenue transfer activity
• Negotiation and sealed agreement history (cryptographic hashes, audit trails)

2.5 Identity Provider Data

• Federated sign-in provider (Google, Microsoft, GitHub, or Apple)
• Account linking identifiers for multi-provider accounts
• Consent and policy version tracking records
• Enterprise SSO integration (Google Workspace, Microsoft Azure AD, AWS)
• APIs and connectors enable communication between your environment and the systems you choose to integrate
• Certain sensitive actions may require explicit confirmation, including SMS-based confirmation, depending on your security settings

2.6 Your Own AI, Storage & Integrations (Bring Your Own)

• Links to your external AI provider (when BYOAI is configured)
• Links to your cloud storage — 14 providers: Google Drive, OneDrive, Dropbox, Amazon S3, GCP Cloud Storage, Azure Blob, Custom URL, Platform Storage, FTP, SFTP, WebDAV, SMB, Local/On-Prem, MinIO
• Linked file metadata (never the files themselves)
• Document integrity hashes (for Digital Witness verification)
• Overflow and failover configuration (which backup storage receives data when primary is full)
• Connections Hub Integrations — Links to your business tools across 5 categories: Identity (SSO, SAML, SCIM), Messaging (Slack, Teams, Discord), Data Targets (CRM, accounting, HR, project management, e-commerce), and Code Repos (GitHub, GitLab, Bitbucket). The platform auto-imports, syncs, and alerts on changes from connected resources.
• Event Streaming — Platform events (logins, document changes, agreement seals, storage operations) can be exported to Google Pub/Sub, Apache Kafka, webhooks, Datadog, or custom event APIs

• Authentication & Security: Verify identity, prevent unauthorized access, detect suspicious activity
• Device Attestation: Ensure only authorized devices with registered SIM cards can access the Platform
• Service Delivery: Partner management, communications, AI-assisted features
• Document Intelligence: AI processing of your Knowledge Vault documents (intelligent analysis, summaries, anomaly detection)
• Observables: Real-time monitoring of regulatory changes, pricing, and external data sources to alert you immediately
• Commission Networks: Calculation and tracking of multi-tier commissions between partners
• Auto-Adaptation: Propagating detected changes across your Knowledge Vault documents
• Platform Improvement: Analyze usage patterns to improve features

Depending on your organization's configuration, data may be stored either in the storage environment configured for your instance or in a private storage environment that you control. We also support the use of customer-managed storage options where available.

In many cases, data is routed to the services, connectors, and third-party providers that you configure for your environment. This may include storage providers, business systems, and other authorized external platforms.

Our platform uses APIs and connectors to enable communication between your environment and the systems you choose to integrate. Certain sensitive actions may require explicit confirmation, including SMS-based confirmation, depending on your security settings.

Configuration Control & Access Management

The platform provides an extremely granular configuration system designed for enterprises of all sizes:

• Visual Profile Creator — Administrators see the exact view each user will see, with checkboxes overlaid on every menu, section, action button, and data field. Uncheck what the user should not see, save as a profile — access is configured instantly.
• Server-Enforced Permissions — Each user receives a pre-computed permission profile that controls both the interface AND server-side access. No client-side bypass is possible — security is enforced server-side.
• Profile Templates — Start from pre-built templates (Super Admin, Admin, Manager, Employee, Viewer) or create fully custom profiles. Templates can be cloned and adjusted per team.
• Field-Level Data Hiding — Hide specific data fields (phone numbers, addresses, financial data, AI keys) from specific roles. Certain groups may see names but not salaries.
• Federal Policy Cascade — Beyond IT builds and configures the federal entity for you, then delivers full super-admin access to your organization. Once delivered, Beyond IT has zero access to your data and cannot interfere. Rules cascade: Platform Minimums → Client Federal → Organization → Department/Group → Individual. The most restrictive rule always wins.
• Custom Security Rules via AI — Our AI developers can rapidly create custom compliance rules using embedding technology. Request a specific rule and we integrate it into the governance layer.
• Storage Providers — 14 supported: Google Drive, OneDrive, Dropbox, Amazon S3, GCP Cloud Storage, Azure Blob, Custom URL, Platform Storage, FTP, SFTP, WebDAV, SMB, Local/On-Prem, MinIO. Overflow strategies (failover, round-robin, cascade, replicate, archive) ensure data flows to backup storage automatically.
• Dual Storage — Data can be stored in multiple locations simultaneously for maximum resilience. On-premises deployment is available for full data sovereignty.
• Event Streaming — Export platform events to Google Pub/Sub, Apache Kafka, webhooks, Datadog, New Relic, Grafana, or custom APIs for real-time observability.
• Security Parameters — Every parameter is configurable: SIM verification, SMS codes, TOTP authenticator, re-verification intervals, device limits, geolocation, impossible travel detection, dual-person authorization, and more
• Observable Monitoring — Monitor connected resources via up to 10 alert channels: in-app, email, SMS, AI phone call, Datadog, webhook, Slack/Teams, PagerDuty, and more

When integrations or sensitive actions are enabled, explicit confirmation may be required — including SMS codes or two-person authorization for high-security operations.

AI Integration & Deployment Options

The platform provides a powerful, flexible AI integration layer:

• Built-in AI — Production-ready AI models (Gemini Lite) for voice calls, messaging, scheduling, contextual prompts, and form assistance. Configurable voice personalities represent your brand naturally.
• Bring Your Own AI (BYOAI) — Connect your own AI via API key (OpenAI GPT, Google Gemini, Microsoft Copilot, Anthropic Claude, or any compatible API). Your AI handles intelligence; our platform handles infrastructure.
• AI-to-AI Communication — Your AI and ours exchange structured messages. Send instructions, receive summaries, action items, or data queries — processed automatically.
• On-Premises Deployment — Install the entire platform on your infrastructure. Plug your own AI models, databases, and operate with full data sovereignty. Ideal for banking, healthcare, government.
• SaaS Mode — Or use our fully managed cloud service. We handle hosting, updates, security, and scaling.
• Enterprise SSO Bridge — Google Workspace, Microsoft Azure AD, or SAML/OIDC. Employees auto-provisioned via SCIM; storage locations passed as SAML claims.
• Multi-Platform — Android (SIM verification), iPhone (Apple attestation), and full desktop web application. Device types can be restricted per role.

When third-party AI services are used, data processing may depend on the policies and terms of the provider. Our platform uses APIs and connectors for communication between your environment and integrated systems. Sensitive actions may require SMS confirmation depending on your security settings.

Responsibilities

We implement the integration, configuration, and security mechanisms provided by the platform. However, how data is stored, routed, or processed may depend directly on your organization's configuration choices, selected providers, and activated third-party services.

Infrastructure Security

• Military-grade encryption at rest and in transit
• Multi-provider authentication (Google, Microsoft, GitHub, Apple)
• Server-enforced security rules isolating data between organizations
• Server-side token verification on all API requests
• Electronic signatures with full audit trail
• Military-grade cryptographic hashing for agreement sealing
• Real-time document anomaly detection

We do not sell your personal information. We may share data only:

• Within your organization: Org admins can view member profiles and activity according to delegated rights in the hierarchy
• Infrastructure providers: Google Cloud (hosting and authentication)
• External AI provider: only if you have configured BYOAI
• Commercial partners: in accordance with signed sealed agreements
• Legal requirements: When required by law, court order, or government authority
• With your consent: When you explicitly authorize data sharing

• Access: Request a copy of all personal data we hold about you
• Correction: Request correction of inaccurate personal information
• Deletion: Request deletion of your account and associated Knowledge Vault
• Portability: Receive your data in a machine-readable format
• Withdraw Consent: Withdraw consent for data collection (may limit Platform access)

To exercise these rights, contact: privacy@beyondit.ca

• Account data: Retained while your account is active
• Consent & signature records: Retained for 7 years for legal compliance
• Activity logs: Retained for 2 years, then archived
• Telephony audit logs: Retained for a minimum of 5 years for regulatory compliance
• Device registrations: Retained until device is deregistered or account deleted
• DNC/DNCL synchronization records: Verified every 31 days, retained for 3 years + 14 days
• Sealed agreements: Retained immutably as long as parties have an active account
• Knowledge Vault: Retained while account is active, deletion upon request

The Platform uses essential cookies and localStorage for authentication and security purposes only. We do not use advertising or third-party tracking cookies.

You must be at least 18 years of age to hold an administrator role. Individuals below 18 may only access the platform as employees invited by an authorized employer, provided they meet the minimum required age of work in their state. The platform automatically verifies age compliance. Contact: commercial@beyondit.ca

Minimum Working Age by State

Disclaimer: This table provides general guidance only. Minimum working age rules vary significantly by type of work (hazardous vs non-hazardous), school days vs non-school days, agriculture vs non-agriculture, and may require work permits or certificates. Always verify with your state's Department of Labor for current, specific requirements applicable to your situation.

We will notify you of material changes via email or in-app notification. The platform tracks which version you accepted and will trigger mandatory re-consent on material updates.

In the event of a security breach, we will notify affected users and relevant authorities as required by applicable state laws including CCPA.

The Platform uses automated processes for anomaly detection, DLP scanning, observable monitoring, AI alerting, and calling compliance enforcement. Users are informed of automated decision-making processes and have the right to request human review of any automated decision that significantly affects them.

International Privacy Compliance

Beyond IT is designed to comply with major international and regional privacy regulations:

• PIPEDA (Canada) — Personal Information Protection and Electronic Documents Act. Governs how private-sector organizations collect, use, and disclose personal information.
• Quebec Law 25 — Quebec's privacy modernization law, one of the strictest in North America, mandating privacy impact assessments and consent management.
• GDPR (European Union) — General Data Protection Regulation. If our platform is used by EU residents, we adhere to GDPR principles including lawful basis for processing, data minimization, and data subject rights.
• CCPA/CPRA (California, USA) — California Consumer Privacy Act / California Privacy Rights Act. California residents have the right to know, delete, correct, and opt-out of the sale or sharing of personal information.
• CASL (Canada) — Canada's Anti-Spam Legislation, governing electronic messaging, including AI-initiated communications.
• TCPA (USA) — Telephone Consumer Protection Act, governing automated calls and text messages.

Your Data Rights

Regardless of your jurisdiction, you have the following rights regarding your personal data:

• Right to Access — Request a copy of all personal data we hold about you.
• Right to Rectification — Request correction of inaccurate data.
• Right to Erasure — Request deletion of your personal data ("right to be forgotten"). We will delete your data within 30 days, except where legal retention obligations apply.
• Right to Data Portability — Export your data in a standard, machine-readable format (JSON, CSV). Available through your profile settings or by contacting us.
• Right to Restrict Processing — Limit how we use your data while a dispute is resolved.
• Right to Opt-Out — Opt out of marketing communications, analytics tracking, AI-powered features, or automated decision-making at any time through your profile settings.
• Right to Non-Discrimination — Exercising your privacy rights will not result in reduced service quality or increased pricing.

To exercise any of these rights, contact us at privacy@beyondit.co or through the privacy settings in your account dashboard. We respond to all requests within 30 days.

Data Minimization & Legal Basis

We follow strict data minimization principles:

• Collect only what is necessary — We do not collect personal data beyond what is required to deliver the service you requested.
• Purpose limitation — Data collected for one purpose is not repurposed without your explicit consent.
• Storage limitation — Data is retained only as long as necessary for its stated purpose or as required by law.
• Legal basis for processing — We process your data based on: (a) your explicit consent, (b) contractual necessity to deliver the service, (c) legal obligations, or (d) our legitimate business interests, balanced against your privacy rights.

Subprocessors & Cross-Border Data

We use the following subprocessors to deliver our services:

• Google Cloud Platform (GCP) — Infrastructure, Firestore database, Cloud Functions, AI services (Gemini). Data centers in North America.
• Firebase — Authentication, real-time database, App Check, phone verification. Google-operated.
• Twilio / Telnyx / Plivo / Vonage / Sinch — Telephony API providers for AI voice calls and SMS verification (customer-configurable).
• cPanel / Web Hosting — Static website hosting for beyondit.co.

Cross-border transfers: Data may flow between Canadian and US data centers depending on your configuration. We implement appropriate safeguards for all cross-border transfers, including encryption in transit and at rest, and contractual protections with all subprocessors.

Data Processing Agreement (DPA): Enterprise clients may request a DPA that defines mutual obligations regarding personal data processing. Contact legal@beyondit.co to request one.

privacy@beyondit.ca · Beyond IT Inc. · Montréal & Alberta, Canada