Public data. Source link-back. Human QA.

Trust at cityminutes

How we source data, how we verify it, how we secure it, and what we commit to. We are an early-stage company and we own that — this page updates as we add certifications, security controls, and transparency surfaces.

Data sourcing

cityminutes only ingests data that is already public. Every field in our product traces back to a primary source document (planning commission agenda, meeting minutes, council resolution, staff report, or hearing transcript) published by a local government under sunshine laws, Freedom of Information Acts, Open Meetings Acts, or equivalent (the Brown Act in California, the Texas Public Information Act, the Florida Sunshine Law, and equivalents in every state). The common principle: public bodies conduct public business in public view, with publicly-available records.

We do not scrape private data. We do not ingest anything behind a paywall. We do not use leaked documents. If a jurisdiction's records are temporarily offline, we retry on the next scheduled pull and flag the gap publicly in our coverage list.

Accuracy commitment

Source link-back. Every structured field links back to the primary source. A customer looking at a "Conditions of Approval" field can click through to the exact page of the exact staff report or minutes where the condition appears.

QA loop. Every wedge-field extraction (conditions of approval, community objections, hearing outcomes, staff recommendations) passes human-in-the-loop review before it hits the production feed. Accuracy metrics published quarterly at /trust#accuracy.

Rollback-to-cache policy. We cache every ingested source. If an extraction is disputed, we roll back to the cached primary source and re-extract. Disputed records are flagged in the product until resolved.

Corrections log. When we get something wrong, we publish the correction on /changelog and mark the disputed record with a correction note.

Security

Roadmap status — early-stage and honest.

• SOC 2 Type II. Target Q3 2026. Controls are being implemented against the AICPA Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). Type I interim milestone Q2 2026.
• Encryption. TLS 1.3 in transit, AES-256 at rest for production databases and object storage.
• Access controls. Role-based, least-privilege defaults, SSO (SAML 2.0) for enterprise customers, audit logging on every production access.
• Infrastructure. Tier 1 US cloud provider (final vendor documented in the enterprise security addendum). Multi-AZ production database with automated backups and point-in-time recovery.
• Incident response. Public status page at /status. Incidents affecting customer data disclosed to affected customers within 72 hours of detection.

Privacy

Planning commission minutes are public records. Names of applicants, commenters, developers, attorneys, and city staff appear in them because they are part of the public record of a public meeting. We do not redact public participation in public proceedings — it would undermine data integrity.

Take-down requests. If an individual contacts us with a legitimate concern (name confusion, misattribution, a demonstrable error, or an active safety concern), we review in good faith and — where warranted — correct the record, append a clarification, or remove the name from the structured fields while linking to the still-public primary source.

GDPR / CCPA. We honor data-subject requests consistent with the legal frameworks. Our Privacy Policy details the request channels and response timelines.

No re-identification. Some jurisdictions publish public comment with only first names or pseudonyms. We do not attempt to re-identify anonymous commenters or cross-reference them against other personal databases.

Compliance roadmap

• GDPR-ready cookie consent + DSR workflow — Q2 2026
• CCPA DSR channel — Q2 2026
• SOC 2 Type I — Q2 2026
• SOC 2 Type II — Q3 2026
• VPAT / Section 508 — Q3 2026
• ISO 27001 — 2027 evaluation

Transparency commitments

• Published coverage list — /coverage. Every covered jurisdiction with last-refreshed timestamp and source URL.
• Published accuracy metrics — Quarterly on /trust#accuracy. Sample-based field-level accuracy, extraction latency, dispute resolution times.
• Public changelog — /changelog. Every product release, data correction, coverage addition.
• Incident status page — /status.
• No PBN backlinks. cityminutes does not buy, rent, or trade private blog network links. Our backlink profile is earned editorial, partnership, and research citations. A structural commitment — and a direct contrast with one tracked competitor.

Vendor list and trust center

Vendor list — published in full after the Q2 2026 security review. Headline categories: cloud hosting, transactional email, analytics (first-party, no-PII defaults), customer support, error monitoring, SSO/SAML provider. Full list available to enterprise customers under NDA.

Trust center. Enterprise security docs (SOC 2 report, pen test summaries, DPA templates, sub-processor list) live at /trust-center behind a short NDA form. Launches alongside first enterprise contract close in Q3 2026.

Security contact

Security questions, responsible disclosure reports, enterprise security due diligence: security@cityminutes.ai. We acknowledge good-faith reports within 5 business days. No public bug bounty today.