# Data Residency Documentation

**Building Code Academy** | Data Processing & Residency
**Document Version:** 1.0 | **Date:** February 2026
**Classification:** Public

---

## Overview

Building Code Academy (BCA) processes and stores data exclusively within the United States. This document details where data resides across our infrastructure.

## Data Processing Locations

### Primary Data Storage

| Data Type | Service | Region | Location |
|-----------|---------|--------|----------|
| **User Accounts & Profiles** | Supabase (PostgreSQL) | AWS US-East-1 | Virginia, USA |
| **Authentication Tokens** | Supabase Auth | AWS US-East-1 | Virginia, USA |
| **Exam Progress & Results** | Supabase (PostgreSQL) | AWS US-East-1 | Virginia, USA |
| **Organization Data** | Supabase (PostgreSQL) | AWS US-East-1 | Virginia, USA |
| **Course Completions & Certificates** | Supabase (PostgreSQL) | AWS US-East-1 | Virginia, USA |
| **File Storage** | Supabase Storage (S3) | AWS US-East-1 | Virginia, USA |

### Application Hosting

| Service | Provider | Data Center | Notes |
|---------|----------|-------------|-------|
| **Web Application** | Vercel | US (multiple edge locations) | Static assets served from nearest edge; server functions execute in US-East-1 |
| **CDN / Edge Cache** | Vercel Edge Network | Global edge, origin US | Cached static content only; no PII at edge |

### Supporting Services

| Service | Function | Data Location |
|---------|----------|---------------|
| **Stripe** | Payment Processing | USA (PCI DSS Level 1) |
| **Upstash** | Rate Limiting (Redis) | AWS US-East-1 |
| **Resend** | Email Delivery | USA |
| **Sentry** | Error Monitoring | USA |

## Data Categories

### Personal Identifiable Information (PII)

PII is stored exclusively in Supabase (AWS US-East-1, Virginia):

- Email addresses
- Full names
- Organizational affiliation
- Certification details (certificate numbers, dates)

### Payment Data

- Handled entirely by Stripe (PCI DSS Level 1 certified)
- BCA does **not** store credit card numbers, CVVs, or full card details
- Only Stripe customer IDs and subscription IDs are stored in our database

### Educational Records

- Exam progress, quiz results, flashcard mastery data
- Course completions and certificate records
- CEU credit tracking
- All stored in Supabase (AWS US-East-1)

## Data in Transit

- All data transmitted over TLS 1.2+ (HTTPS enforced)
- HSTS enabled with `max-age=63072000; includeSubDomains`
- No unencrypted data transmission

## Data at Rest

- AES-256 encryption at the database level (Supabase/AWS)
- Encrypted backups with automated daily snapshots
- Point-in-time recovery available

## Cross-Border Data Transfers

BCA does **not** transfer personal data outside of the United States. All data processing occurs within US-based data centers.

**Edge caching note:** Static assets (CSS, JavaScript, images) may be cached at Vercel edge locations globally for performance. These assets contain no personal data.

## Data Retention

| Data Type | Retention Period |
|-----------|-----------------|
| Active user data | Duration of account + 30 days after deletion request |
| Inactive accounts | 2 years of inactivity, then notified before deletion |
| Payment records | Per Stripe retention policies (7 years for tax/legal) |
| Error logs (Sentry) | 90 days |
| Rate limiting data | Ephemeral (TTL-based, <24 hours) |

## Government Agency Compliance

BCA's data residency posture is compatible with:

- **State data residency requirements** — All data stored in the US
- **CJIS Security Policy** — Data does not leave US borders
- **IRS Publication 1075** — Data stored in continental US

## Contact

For data residency questions or to request a Data Processing Agreement (DPA):

- **Email:** privacy@buildingcodeacademy.org
- **DPA Requests:** dpa@buildingcodeacademy.org

---

*This document is reviewed and updated quarterly.*