Beta version · v0.2.0 · What's newFound a bug or have an idea to share? Write to us

Security & hosting

Last updated: May 28, 2026

This page answers the questions of organizations (daycares, retirement homes, caterers, group homes) evaluating Plan Repas for institutional use. For a data processing agreement or a detailed security assessment, write to [email protected].

Data hosting

  • Data hosted on dedicated cloud infrastructure (Oracle Cloud virtual private servers), not shared with other customers.
  • PostgreSQL database and file storage (MinIO) self-hosted on this infrastructure — no third-party database service.
  • Hosting region and data residency details are provided on request as part of an institutional assessment.

Encryption

  • In transit: all traffic is encrypted over HTTPS (TLS) via Cloudflare.
  • At rest: sensitive fields (e.g. postal code) are encrypted at the application level before being written to the database.
  • Backups: backup copies are encrypted (age encryption) before off-site storage; the decryption key is kept separately from the infrastructure.

Sub-processors

Plan Repas relies on a limited set of contractually bound sub-processors:

  • Anthropic (United States) — AI meal-plan generation. No health data; see the "dietary restrictions" terminology on our Law 25 page.
  • Stripe (payment processing) — banking information never transits through our servers; it is entered directly with Stripe.
  • Cloudflare (CDN / web application firewall).

Law 25 compliance

Plan Repas complies with Quebec's Law 25: appointed privacy officer, right of access / rectification / deletion, incident log, and privacy impact assessment for each new feature. Full details on the Law 25 page.

Institutional billing

Organizations that cannot pay by credit card (purchase order, annual invoicing) can start without banking information and have a grace period to set up payment. Contact us for an arrangement suited to your procurement process.