What does Compass AI Group do?

Compass AI Group designs and builds the full digital stack for Canadian small-to-medium businesses — custom AI agents, websites, hosting, SEO, internal tools, and dashboards. Every engagement is custom-scoped. Specialties in engineering firms, law practices, real estate teams, and studios & wellness.

How much does an AI agent or website cost?

Every Compass build is custom-scoped, so the cost depends on what you actually need: simple vs. elaborate scope, the number of system integrations, how much process discovery is required, and how much of the work runs on existing infrastructure vs. new. Compass does not publish standard SaaS-style pricing because no two rollouts look the same. The free 30-minute Bearings call is where the process is mapped and a real number is put to it.

Who is Compass AI Group for?

Canadian small-to-medium businesses with 5-50 employees, led by owner-operators who answer the phone, sign the proposals, and run operations themselves. Strongest fit: engineering firms, law practices, real estate teams, and wellness studios. Not a fit: enterprise IT departments, pre-revenue startups, or businesses outside Canada.

Where is Compass AI Group based?

Toronto, Ontario, Canada. Bobby Atwal, the founder, is based in the GTA. Compass serves clients across Canada. Most engagements run remote with periodic in-person meetings for GTA clients.

Bobby Atwal is the founder of Compass AI Group. He spent 30 years inside multinational corporations running operations, projects, and AI infrastructure. He is a Lean operations practitioner and certified project manager. Every engagement is led by Bobby directly - no junior account managers, no two rollouts the same.

What is the Compass Method?

The Compass Method is a four-step engagement model rooted in Lean principles: Bearings (process discovery and mapping), Charting (scoped proposal), Heading (build with weekly reviews), and True North (outcome measurement). The Method exists so the AI we build fits your actual process - discovered with you, not assumed. No two rollouts look the same.

How long does an engagement take?

Typical builds run 4 to 12 weeks from signed Statement of Work to live deployment. The free Bearings call is 30 minutes. A scoped Charting proposal arrives within 3-7 days of Bearings. Compass works with one client cohort at a time — typical bench has 2-3 active builds.

How is Compass different from a marketing agency or a dev shop?

Compass is operator-led. Bobby brings 30 years of inside-the-business operations experience plus AI infrastructure background. Marketing agencies ship slides. Dev shops ship code without business context. Compass maps your process first, finds the actual bottleneck, then builds the agent that fits. No two rollouts the same.

Do you build AI agents that comply with Canadian regulations?

Yes. PIPEDA (Personal Information Protection and Electronic Documents Act) compliant data handling on every build. Legal industry builds are Law Society of Ontario standards-aware including audit trails, citation, and matter-management compliance. Real estate builds are RECO (Real Estate Council of Ontario) aware. Healthcare engagements scoped case-by-case.

Can Compass automate bookkeeping for a Canadian small business?

Yes. We build automated bookkeeping systems that pull bank feeds, categorize transactions, OCR (Optical Character Recognition) receipts, track GST/HST (Goods and Services Tax / Harmonized Sales Tax) by jurisdiction, and accelerate monthly close. Integrates with QuickBooks Online, Xero, FreshBooks, Wave, and Sage. The agent does not replace your accountant — it shrinks their cleanup work by roughly 70% and gives you a CRA (Canada Revenue Agency) ready audit trail on every categorization decision.

How do I get started?

Book a free 30-minute Bearings call at compassaigroup.com/contact. Two operators talking about your business — no deck, no pitch, no obligation. If AI is a fit for your bottleneck, we send a scoped proposal within a week. If it is not, we tell you honestly.

PIPEDA-Compliant AI for Canadian SMBs — A Practical Guide

Quick answer: PIPEDA-compliant AI for a Canadian SMB requires four things: Canadian data residency for personal information, explicit consent for AI processing where consent is required, accuracy obligations on automated decisions, and an audit trail showing how each decision was made. Compass builds with all four on every engagement.

PIPEDA — the Personal Information Protection and Electronic Documents Act — is the Canadian federal privacy law that governs how businesses collect, use, and disclose personal information. It applies to every Canadian SMB that handles customer data.

AI raises specific PIPEDA questions that did not exist when the law was written. This article covers the practical version: what PIPEDA actually requires for AI builds, where Canadian SMBs trip, and how to design AI workflows that pass.

What PIPEDA requires of AI workflows

Four obligations that matter most for AI implementation:

Limiting collection (PIPEDA Principle 4). AI workflows must collect only the personal information needed for the identified purpose. Training a model on data "in case it is useful later" is not compliant.
Accuracy (Principle 6). Personal information must be as accurate, complete, and up-to-date as necessary for the purposes it will be used for. Automated decisions made on stale data create liability.
Safeguards (Principle 7). Personal information must be protected by security safeguards appropriate to the sensitivity of the information. This includes how the AI processes, transmits, and stores data.
Openness and individual access (Principles 8 and 9). Customers can ask what personal information is being processed about them by AI. Saying "the model decided" is not an answer that satisfies the obligation.

Beyond the four above, the Office of the Privacy Commissioner has published guidance specifically on AI processing under PIPEDA. The guidance prioritizes consent, transparency, and accountability for automated decisions.

Canadian data residency — what it actually means

Canadian data residency means personal information processed by the AI lives on infrastructure physically located in Canada. For practical purposes:

Storage: databases in a Canadian region (AWS Canada Central, Azure Canada Central, Google Cloud Northam, Vercel CA-Central).
Processing: model inference happens in Canada. For OpenAI / Anthropic / Google models, this requires using the Canadian region endpoints where available, or routing through a Canadian-region proxy.
Backups: disaster recovery copies stay in Canada or in regions covered by an adequacy framework.

US-only services that route data through US infrastructure create a cross-border transfer that requires additional contractual safeguards. Compass builds with Canadian data residency by default on every engagement.

Consent for AI processing

PIPEDA requires meaningful consent for the collection, use, and disclosure of personal information. AI processing is a use that customers should know about.

Three patterns Compass uses on builds:

Disclosure in privacy policy. Every Compass client gets a privacy policy update that names AI processing, the categories of decisions made, and the right to request human review.
Active consent at the point of collection. Web forms, intake calls, and contracts include AI processing in the consent language. The customer knows when they say "yes" what they are saying yes to.
Opt-out for non-essential AI processing. Where AI processing is not essential to deliver the service the customer requested, opt-out has to be available. Compass builds the opt-out path during the Heading phase.

The OPC has not been quiet on this. Businesses operating without explicit consent for AI processing face complaint risk, brand risk, and potential enforcement action.

Accuracy obligations on automated decisions

Principle 6 (accuracy) is where AI runs into PIPEDA-shaped trouble. Automated decisions on stale data can be wrong in ways that affect customers.

Compass builds with three safeguards:

Data freshness checks. Every automated decision references data that has a documented freshness check. Decisions on stale data either refuse to run or escalate to a human.
Confidence thresholds. Decisions below a confidence threshold escalate to a human. The threshold is set per use case during the Charting phase and reviewed quarterly.
Audit trail per decision. Every automated decision generates an audit log: what data was used, what the agent decided, what confidence level, and whether the decision was overridden by a human.

The audit trail also serves the openness obligation (Principle 8). Customers asking "what did your AI decide about me and on what basis" get a real answer.

Where Canadian SMBs trip on PIPEDA + AI

Five patterns Compass sees repeatedly:

Using US-only SaaS for personal information. Many AI tools sold in Canada are hosted exclusively in US data centres. This creates a cross-border data flow that needs PIPEDA-compliant contractual handling.
Training models on customer data without consent. Fine-tuning a model on customer interaction data is processing — and processing for new purposes generally requires fresh consent.
No path for customer access requests. PIPEDA Principle 9 says customers can ask what personal information you have about them. AI processing introduces new categories of "what we have" that the existing access process may not cover.
Opaque automated decisions. "The model decided" is not a PIPEDA-compliant answer when a customer asks why a decision was made about them.
Subprocessor transparency. Cloud providers, model providers, and tool providers are subprocessors under PIPEDA. The customer is entitled to know who is processing their data.

Compass addresses all five during the Heading and True North phases of the Compass Method.

Practical checklist for a Canadian SMB

If you are evaluating an AI vendor as a Canadian SMB, ask each one:

Where is personal information stored and processed during runtime?
Where are model weights stored, and where does inference happen?
What is your access request response time and process?
How are automated decisions logged and what does the audit trail include?
Who are the subprocessors and where are they located?
What is the data deletion path on customer request?
How do you handle consent for AI processing during the customer onboarding flow?

A vendor that cannot answer all seven in plain English is not ready to handle PIPEDA-grade work.

When PIPEDA is not the right framework

Two situations where PIPEDA is not the only framework that applies:

Quebec. Quebec's Law 25 (formerly Bill 64) is stricter than PIPEDA on automated decisions, consent, and data residency. Compass builds for Quebec-touching clients with Law 25 as the governing framework when it applies.
Vertical-specific obligations. Healthcare under PHIPA (Ontario), legal under Law Society standards, real estate under RECO, financial services under provincial securities law — each adds requirements on top of PIPEDA.

Frequently asked questions

What does PIPEDA require for AI builds? PIPEDA requires Canadian data residency for personal information, explicit consent for AI processing where consent is required, accuracy obligations on automated decisions, and an audit trail showing how each decision was made. These obligations apply to every Canadian SMB using AI on customer data.

Does PIPEDA require Canadian data residency for AI? PIPEDA does not literally require Canadian data residency, but cross-border data flows require contractual safeguards. The Office of the Privacy Commissioner's guidance on transborder data flows is the practical standard. Compass builds with Canadian data residency by default to avoid the cross-border complexity.

Can I use OpenAI / Anthropic / Google AI under PIPEDA? Yes, with the right configuration. OpenAI offers Canadian data residency via Azure OpenAI Service. Anthropic offers Canadian-region access via AWS Bedrock. Google AI offers Canadian regions on Vertex AI. Compass builds with whichever provider best fits the client's use case and Canadian-region requirements.

What is the OPC's position on AI under PIPEDA? The Office of the Privacy Commissioner has published joint guidance with provincial privacy commissioners on generative AI. The guidance prioritizes consent, transparency, and accountability for automated decisions. The guidance is the practical standard until PIPEDA reform legislation passes.

Do I need new consent language for AI processing? In most cases, yes. PIPEDA requires meaningful consent for the use of personal information. AI processing is a use that customers should know about. Compass updates every client's privacy policy and consent language during the Heading phase of the engagement.

What happens if a customer asks what my AI decided about them? You must answer. PIPEDA Principle 9 (individual access) covers AI-processed information. Compass builds every automated decision with an audit trail — what data was used, what the decision was, what confidence level, whether a human reviewed — so the access request has a real answer.

Conclusion

PIPEDA-compliant AI is not complicated, but it is specific. Canadian data residency, explicit consent, accuracy obligations, and audit trails on automated decisions are the four pillars. Get those right and the rest follows.

For Canadian SMBs evaluating an AI vendor, the seven-question checklist is the starting point. For SMBs ready to build, the Bearings call covers PIPEDA explicitly during process discovery.

This article is not legal advice. Compass writes a specific PIPEDA compliance summary into every build deliverable, but engagements that touch sensitive data or regulated verticals (legal, healthcare, financial services) should involve a Canadian privacy lawyer.