Security & privacy
How copilotBC protects your records.
Last reviewed: May 30, 2026 — updated whenever the app's protections change or after each round of security testing.
copilotBC is built so that only you can see your students' records, those records can't be secretly altered or deleted, and the sensitive parts — signatures, voice notes, payment cards — are handled with the strongest practical safeguards. Verified by ongoing adversarial security testing, not just promised.
| Area | What we do |
|---|---|
| Where your data lives | Google Cloud Firestore in the Toronto, Canada region — encrypted at rest and in transit |
| Who can see it | Strict per-instructor isolation, enforced on the server — no instructor can ever reach another's data |
| Account protection | Verified-email sign-in + Google App Check (bot/abuse defence) enforced on every request |
| Record integrity | Signed lessons are permanently locked — they can't be edited, un-signed, or deleted, even by the account owner |
| Tamper evidence | Append-only audit log + append-only correction trail — nothing is silently overwritten |
| Connection security | HTTPS-only, with HSTS (2-year, preload) so browsers refuse any insecure connection |
| Voice notes | Transcribed entirely on your own device — audio never leaves your phone or laptop |
| Payment cards | Processed by Stripe on a Stripe-hosted checkout page — copilotBC never sees or stores card numbers |
| Privacy rights | Built around BC's PIPA: data export, correction trail, retention controls, clean sign-out |
| Independent checks | Regularly subjected to adversarial penetration testing; findings are fixed and re-verified |
1. Your data stays in Canada
Student records — names, licence details, lesson history, readiness scores, and reports — are stored in
Google Cloud Firestore in the Toronto (northamerica-northeast2) region.
This keeps personal information of BC learners on Canadian soil, which directly addresses
data-residency expectations under British Columbia's Personal Information Protection Act (PIPA).
All data is encrypted at rest (Google-managed AES-256) and encrypted in transit (TLS 1.2+) — automatically, on every read and write. Backups remain within the same region.
2. Only you can see your students — enforced by the server, not the app
Every instructor's data lives in a private, isolated space keyed to their account. The rules that govern access run on Google's servers, not in the app on your device — so they can't be bypassed by tampering with the app, calling the database directly, or any other client-side trick.
The server independently checks, on every single request, that:
- you are signed in,
- your email is verified, and
- you are the owner of the exact record being touched.
We tested this the hard way — attempting to read, list, query, and write another instructor's records through every channel we could find — and every cross-instructor attempt was denied.
3. Strong account protection
- Verified-email sign-in. Email/password accounts must confirm their address before they can store or read any data. Google sign-in is verified by Google. This blocks throwaway and automated accounts from ever touching the database.
- Google App Check (reCAPTCHA v3), enforced. Every request must carry a valid App Check token proving it came from the genuine copilotBC app — not a script or bot. This is enforced on both authentication and the database.
- Session hygiene. Signing out wipes your saved settings, instructor licence details, any cached lesson audio, and the offline database copy from the device. This matters on shared or family computers.
4. Records can't be secretly changed or deleted
A driving-instruction record only has value if everyone can trust it wasn't altered after the fact. copilotBC enforces this at the database level:
- Signatures are permanent. Once a lesson is signed off, it is locked. It cannot be un-signed, its status cannot be rolled back, and its details cannot be rewritten.
- Signed records can't be deleted. BC's Motor Vehicle Act Regulations (Division 27) require training records to be retained for 6 years. copilotBC enforces that retention by refusing to delete a signed lesson — there is no override.
- Completed lessons can't be deleted either. Even a finished lesson that hasn't been signed yet already represents delivered instruction.
- Students are archived, never erased. Removing a student hides them from your active list but keeps every record intact behind them.
- Corrections are appended, never overwritten. The original text is never silently replaced — every change is visible and attributable.
- Tamper-evident audit log. Consequential actions are written to an append-only audit trail that cannot be edited or deleted — not even by the account owner.
5. Trustworthy electronic signatures
copilotBC's in-person signature flow follows the two-party model recognised by British Columbia's Electronic Transactions Act (section 11): the instructor signs, then hands the device to the student, who types their full name and ticks explicit consent boxes while the instructor witnesses it.
For the scan-to-sign-on-your-own-phone option, each link is protected by a 192-bit cryptographically random token. It expires after 10 minutes (enforced on the server), can be used once only, and is deleted automatically once the signature is captured.
6. Hardened connections and infrastructure
- HTTPS everywhere, always. The app is served only over encrypted HTTPS.
- HSTS with preload. A 2-year Strict-Transport-Security header with subdomain coverage and preload instructs browsers to refuse insecure connections entirely.
- Strict Content-Security-Policy. A tight allow-list controls exactly which scripts, styles, fonts, images, and network destinations the app may use. No wildcard scripting, no inline-script execution, plugins disabled, and the page cannot be framed by another site (closing clickjacking).
- Defensive HTTP headers.
X-Frame-Options: DENY,X-Content-Type-Options: nosniff, strictReferrer-Policy, and a locked-downPermissions-Policy.
7. Defence against malicious data and code injection
copilotBC defends in three independent layers:
- Input is sanitised before it's ever stored — HTML-control characters and injection vectors are stripped.
- The database validates every field on the server — types, value ranges, and length limits are enforced, so malformed or oversized data is rejected outright.
- The app renders all text safely — using a framework that escapes content by default, with no use of dangerous code paths (
eval,innerHTML,dangerouslySetInnerHTML).
Our third-party software dependencies are continuously audited. The production app currently reports zero known vulnerabilities in its production dependencies.
8. Works offline, syncs safely
copilotBC is a Progressive Web App: it keeps working in a car with no signal and syncs automatically when you're back online. The same server-side security rules apply to every synced change — going offline never relaxes who can read or write what.
9. Privacy by design
- Voice notes never leave your device. Transcription runs entirely in your browser — audio is never uploaded to us or anyone else.
- No payment-card exposure. Payments are processed by Stripe on a Stripe-hosted checkout page (the PCI DSS SAQ-A model): no card form ever renders inside copilotBC, no payment script loads in the app, and copilotBC never receives, processes, or stores card numbers. Payment state is written only by our payment server after Stripe cryptographically confirms the charge — the app itself can't forge a "paid" record.
- Data minimisation. We collect only what a BC driving instructor genuinely needs for instruction and regulatory record-keeping.
- Your rights, built in. copilotBC supports exporting a student's full record, an append-only correction trail, and retention controls aligned to the 6-year regulatory window.
10. We test ourselves — adversarially
copilotBC is regularly put through adversarial penetration testing — deliberate attempts to break in without an account, read or modify another instructor's data, forge or delete signed records, inject malicious content, and abuse the system to run up costs. When a test surfaces a gap, we aim to fix it promptly and re-verify before shipping.
What this means for you
Parents & students — Your young driver's name, licence details, and progress are stored in Canada, visible only to your instructor, and can't be quietly changed or deleted.
Instructors — Your records are tamper-evident and built for long-term retention by default. Sign-out fully clears the device, so a shared computer or a sold phone won't leak your students' information.
Regulators — copilotBC is built around BC's MVAR Division 27 retention rules, the Electronic Transactions Act signature model, and PIPA privacy obligations. Record integrity, retention, and auditability are enforced at the server layer.
Security questions: privacy@copilotbc.ca