Claim 01 · Compliance EFVP — Privacy Impact Assessment
T6AI Inc. completed its first EFVP (Évaluation des Facteurs Relatifs à la Vie Privée) on 2026-03-27, covering the use of Anthropic's Claude API in internal operations. Current version: v1.4, last updated 2026-05-15.
What's in it: data flow diagram, subprocessor list, retention periods, breach response process, data subject rights workflow, EU AI Act risk classification.
Per-product EFVPs: Calypack, Relevia, and OpenTac each get a dedicated EFVP before their first production user. Calypack's is in draft.
Honest limit: the full document contains operational detail (vendor identifiers, internal contacts, security controls). A redacted summary is available to investors, auditors, regulators, and serious prospects on request.
Request the redacted EFVP → Claim 02 · Safety layer NVIDIA NeMo Guardrails — 60 Colang rails, fail-closed
Every LLM call from a T6AI production agent is wrapped by mc-guardrails, our internal deployment of NVIDIA NeMo Guardrails. The wrap runs on localhost:8090 in development and inside a hardened container in production.
What "60 Colang rails" means: 60 declarative policy rules written in NeMo's Colang language. Categories: PII detection, prompt-injection detection, jailbreak heuristics, content-safety classifiers (NeMo Guard 8B), topic restrictions, Loi 25 art. 8.1 minimisation, audit logging hooks.
Fail-closed means: if the guardrail layer is unreachable for any reason — NIM down, network partition, container restart — the LLM call is refused with HTTP 503 and a safe-deny audit log entry. No silent pass-through.
Honest limit: the rail counts and Colang source are not yet public. They will be published in the OpenTac repo when it opens (see Claim 05). We'll happily run a live demo for serious reviewers — email us.
Claim 03 · Data residency AWS ca-central-1 — Montréal, end to end
Every byte of customer data lives in AWS ca-central-1 (Montréal). Database, object storage, email (SES), AI inference (Bedrock when used), and CDN region pinning.
Technical posture: RDS / Aurora with --storage-encrypted, parameter group rds.force_ssl=1, IAM moindre privilège, security groups restrictive by default, no public RDS, encrypted EBS volumes, encrypted S3 buckets.
Cross-border: we don't transfer customer PII outside Canada without explicit consent. Vercel functions are pinned to yul1 (Montréal) for products that need edge compute.
Honest limit: Claude API (Anthropic) is hosted in the US and processes prompt content. This is disclosed in our EFVP and in each product's privacy policy. Bedrock ca-central-1 is the residency-locked path when product-specific compliance requires it.
Claim 04 · Test coverage ~1,600 automated tests across the portfolio
We test the boring edges: authorization, race conditions, cross-tenant access attempts, payment idempotency, audit-log integrity. Per-product breakdown:
- Relevia — 514 tests (404 web + 79 admin + 18 auth + 13 quiz)
- ThisIsMyFlight — 591 tests
- OpenTac — 515 tests, 28 OAuth provider integrations
- FoundMyBiz — 504 tests
Honest limit: these counts come from internal CI (GitHub Actions). They are not externally audited. We can show CI dashboards and test artifacts to serious reviewers under NDA.
Claim 05 · Open source OpenTac — Apache 2.0 license drafted, repo opens at V1
OpenTac is our universal control plane for AI agent fleets. Apache 2.0 license is drafted and committed to the (currently private) repo. The repo opens publicly when V1 is hardened — internal use today, no fake "live OSS" badge.
What you can verify today: architecture pages on this site, the README excerpts in the product page, a redacted module-tree summary on request.
What changes at launch: repo flips public, README + LICENSE + CONTRIBUTING become canonical, `docker compose up` boots the same code we run internally.
Get notified at launch → Claim 06 · Breach & rights 72h breach notification, Loi 25 / RGPD rights honored
Loi 25 art. 3.5 requires notifying the Commission d'accès à l'information within 72 hours of a confirmed incident. RGPD art. 33 imposes the same SLA on the data controller. Our incident-response runbook (private) targets a 4h internal detection → 24h triage → 72h regulator notification path.
Rights workflow: access, rectification, erasure, portability requests are routed to contact@t6ai.co with a 30-day response target (Loi 25). For Loi 25 art. 12.1 automated decisions (e.g. Relevia matching), the affected user receives a human-readable explanation and can request human review.
Honest limit: we haven't had a reportable incident. The 72h SLA is our committed posture, tested against synthetic incident drills internally.