If you sell residential real estate in Ontario, you are personally on the hook under the federal Personal Information Protection and Electronic Documents Act - PIPEDA - for every piece of client data your tools touch. Your CRM stores names, phone numbers, financial pre-approval status, conversation transcripts. Your e-sign tool stores signed agreements. PIPEDA does not care whether the data leaks because of your mistake or your vendor's. It cares that you, the realtor, collected the data and are responsible for protecting it.
Most US-built real-estate software is retrofitted for the Canadian market. The marketing page mentions Canada. The actual servers, the actual data flows, the actual privacy posture - those are still designed for an American customer base. AgentMind was built the other way around: Canadian first, Ontario-specific, every privacy decision made with PIPEDA as the floor, not a feature.
This article is a practical checklist of the ten questions any realtor should ask any vendor before adopting them. AgentMind passes all ten. We list them here so you can hold us to it.
Where data lives - the question that catches most US vendors
PIPEDA does not technically prohibit storing Canadian client data in the United States. But it does require disclosure, and it does require additional safeguards because of the broader powers US law has to compel data disclosure.
Practically, the simpler answer is to store Canadian client data in Canada. AgentMind stores all client data in a Toronto-region Canadian data centre. Not "globally available with optional Canadian routing." Not "encrypted at the disk level so location does not matter." The actual production database, the actual backups, the actual file storage - all in Canada.
For the realtor evaluating a vendor, the question is direct: "Where is the production database that holds my client data?" If the vendor's answer is vague, that is itself the answer. A vendor who has thought about Canadian residency can name the region without hesitation. A vendor who has not will redirect to "we follow industry-standard practices."
Encryption is not just "the disk is encrypted"
Most CRMs claim "data is encrypted at rest." This is technically true and substantively misleading. The standard implementation is whole-disk encryption - the cloud provider encrypts the disk where the database lives. This protects against physical disk theft. It does not protect against a database backup being read by an insider, a bug exposing all rows of a table, or a query that reads sensitive columns.
The stronger implementation is column-level encryption on the most sensitive fields. The schema stores ciphertext; the application decrypts on read using a key that lives outside the database. A successful database compromise gets the attacker rows of unreadable bytes, not plaintext conversations.
AgentMind encrypts at the column level on every sensitive field: lead conversation transcripts, interaction body text (call summaries, email content, notes), offer terms before they are public, status certificate extracted contents, and any document carrying financial details. Names and phone numbers are stored normally - they are operationally needed for every read, and column encryption on those would slow the system without adding meaningful protection. The encryption is applied where it matters most.
Voice notes are processed and discarded
Voice notes are an interesting PIPEDA edge case. You record a voice memo on your phone, AgentMind transcribes it, the structured outcome lands in your CRM. The audio file itself was processed on a server somewhere - but where did it end up?
AgentMind's defensible architecture is never persist the audio. The bot receives it, transcribes it, drops it. The transcript persists where you have already established consent to store client communications. The audio was a transient processing input, not a record.
This matters for your insurance posture, for what you can credibly tell a client when they ask "where do my voice notes go?" Your answer is: nowhere - they get read, transcribed, and discarded. The transcript becomes part of your normal client file. There is no hidden archive of audio recordings sitting on a server somewhere waiting to be breached.
Access controls and audit trails
If something goes wrong - a leaked credential, a stolen laptop, a phished employee - your privacy officer needs to be able to answer: who accessed what, and when? Without audit logs, every breach becomes a worst-case-assumption disclosure.
AgentMind logs every login and login-failure event with timestamp and source IP, every export of client data, every change to permission grants, and every administrative action. The logs are tamper-resistant - written to a separate audit channel that the application itself cannot delete from. If you ever need to answer a privacy commissioner's questions, you have the data to do it.
For multi-realtor agency setups, AgentMind enforces row-level isolation at the database layer, not just at the application layer. Each row is tagged with the realtor (and team) it belongs to; the database itself refuses to return rows the current user is not entitled to. A bug in application code cannot leak rows; the database fails closed by default.
Multi-factor authentication and IP allowlists on admin
The single highest-leverage security control for a multi-realtor SaaS is multi-factor authentication on the admin console, especially when the admin can read across realtor accounts. AgentMind requires TOTP-based MFA on every admin account - not optional, not SMS (which is vulnerable to SIM-swap attacks), but mandatory authenticator-app codes. A leaked admin password without MFA is a full data breach. With AgentMind's posture, a leaked password without the matching authenticator is an incident report and a reset.
One step further: the AgentMind admin console runs behind an IP allowlist by default. Even if an attacker has both the password and the MFA code, a connection from outside the allowed range fails to authenticate. This is operational paranoia rather than baseline compliance, but for handling Canadian client data at scale we treat it as table stakes.
The ten-question vendor checklist
Pulling all of the above into a sequence you can use during any vendor evaluation. AgentMind's answer to each is in italics - we publish them here so you can hold us to them.
- Where is the production database storing my client data? AgentMind: Toronto, Canada.
- Is data encrypted at the column level for sensitive fields, or only at the disk level? AgentMind: column-level encryption on conversations, offer terms, status certs, interaction bodies.
- If your service handles voice notes, is the audio persisted after transcription? AgentMind: no. Audio is read, transcribed, and discarded.
- Is row-level security enforced at the database, or only at the application? AgentMind: at the database.
- Is multi-factor authentication required (not optional) for admin accounts? AgentMind: required, with TOTP. SMS not supported.
- Do you maintain audit logs of admin actions, and how long are they retained? AgentMind: yes, indefinitely on a separate channel.
- What is your data retention policy for inactive accounts? AgentMind: published; not "we keep everything forever."
- Can clients request deletion of their data, and how long does it take? AgentMind: yes, processed within seven business days.
- Do you have a designated privacy officer and a breach response plan? AgentMind: yes, named.
- Have you completed a Canadian privacy impact assessment? AgentMind: yes.
A vendor who answers these questions confidently has thought about Canadian compliance. A vendor who hedges or redirects to marketing language has not. The latter is an instructive signal regardless of how good the product is.
Your own obligations do not transfer
Even when AgentMind is fully PIPEDA-compliant, you still have personal obligations under the law. AgentMind is a necessary condition, not a sufficient one. You also need to:
Get meaningful consent at intake. A short, plain-language sentence on the buyer-representation agreement covers most cases. "We will use the contact information you provide to send you matching listings and follow up about your home search. We do not sell or share your information."
Designate a privacy officer. For solo realtors, that is you. For brokerages, it is usually the broker of record. The role exists to receive complaints and respond to access requests. The Office of the Privacy Commissioner of Canada publishes a compliance guide aimed at small businesses that walks through the role's responsibilities.
Have a breach response plan. A one-page memo that says "if our laptop is stolen, here are the four steps we take in the first 24 hours." Under PIPEDA's mandatory breach-reporting rules, you must notify affected individuals and the Privacy Commissioner of any breach creating a real risk of significant harm.
Honour deletion requests. When a client asks to be removed, remove them. AgentMind makes this a single button click.
Combine those four pieces with AgentMind's vendor-side compliance, and you have a PIPEDA posture that holds up to scrutiny.
