Security

Your data lives in Canada. Encrypted at rest, encrypted in transit, audited continuously.

We hold tax records for thousands of Canadian creators. We treat that responsibility the way a CPA firm treats client files: with paranoia, retention discipline, and an audit trail on every change.

SOC 2 Type II
In progress · Q3 2026
PIPEDA
Compliant
Quebec Law 25
Compliant
CRA s. 230
Records retention enabled

Data location

All customer data is stored in AWS ca-central-1 (Montreal & Toronto). We do not replicate to US regions. Database backups are encrypted and stored in the same region.

If you need data residency certification for compliance reasons (e.g., government contracts, GDPR-equivalent disclosures for European audiences), we can provide written attestation.

Why this matters. Many "Canadian" bookkeeping tools route data through US data centers. For CRA s.230 retention compliance and Quebec Law 25 obligations, this is a real distinction. Your books should not be subject to US subpoena.

Encryption

  • In transit: TLS 1.3 across all client connections. HSTS preload list. Mixed-content blocked at the CDN edge.
  • At rest: AES-256-GCM at the database layer (AWS RDS encryption). Backups encrypted with a separate KMS key.
  • Field-level encryption for SIN, account numbers, and bank credentials — encrypted before they hit the database, decryption keys rotated quarterly.
  • Keys managed via AWS KMS with automated rotation. Customer master keys are never exported.

Bank & platform access

We never store your bank password. Connections to financial institutions are read-only and brokered through Flinks, a Canadian-incorporated open banking provider regulated by FINTRAC. Flinks holds OAuth tokens scoped to read-only.

Platform connections (YouTube, Stripe, Patreon, etc.) use the official OAuth flow for each provider. Tokens are stored encrypted; we request the minimum scopes required. You can revoke any connection from your settings.

What we can see:

  • Transaction history (deposits, withdrawals, transfers)
  • Account names and balances
  • Account-holder name and email (where provided by the institution)

What we can't see or do:

  • Initiate any payment or transfer
  • Change your account settings
  • Access non-financial accounts
  • Share your data with third parties (see sub-processors for the narrow exceptions)

Authentication

  • Email + password with bcrypt hashing (cost factor 12) and required minimum entropy.
  • Two-factor authentication via TOTP (Authy, 1Password, Google Authenticator). SMS backup available but discouraged.
  • Session management: sessions expire after 14 days of inactivity. You can see all active sessions and revoke any from your settings.
  • SSO (SAML) available on Incorporated plans for firms using Okta, Azure AD, or Google Workspace.

Audit trail

Every change to your books — by you, by your accountant, by the system — is logged with timestamp, actor, and before/after values. This isn't optional or hideable. It's how we comply with CRA's record-keeping requirements under s. 230 of the Income Tax Act.

You can download a full audit log from your settings at any time. It's a CSV; one row per change; retained for the duration of your account plus 6 years.

Retention & deletion

CRA requires you to retain books and records for 6 years from the end of the last taxation year they relate to. We default to this retention period automatically. You don't have to remember it.

If you cancel your account:

  • Days 0–30: account is in a soft-cancelled state. You can reactivate, no data loss.
  • Days 30–180: account is suspended. Data is retained but you can't log in. You can request a full export.
  • Day 180: account is hard-deleted unless you've explicitly opted in to long-term archival (free for accounts under 6 years post-final-filing).

If you need data permanently deleted before the 6-year retention period — for example, if CRA never opened the relevant year — email privacy@loonieledgr.ca and we'll process the request within 30 days.

Sub-processors

We use a small number of third-party services to operate. Each has signed our data processing agreement. None of them see your raw bank or platform data.

  • AWS (ca-central-1) — infrastructure hosting
  • Flinks (Montreal, QC) — bank account read-only access
  • Stripe (Toronto offices) — subscription billing only; not for your customer payments
  • Postmark — transactional email (receipts, alerts)
  • Linear, Notion, GitHub — internal tools that have no access to customer data

Any change to this list will be announced 30 days in advance to customers on Incorporated plans, 14 days for other plans.

Incident response

If we detect a security incident affecting your data, we'll notify you within 24 hours of confirmation, regardless of legal disclosure thresholds. PIPEDA requires "as soon as feasible" — we hold ourselves to a tighter standard.

The notification will include: what happened, what data was affected, what we're doing about it, what we recommend you do, and a contact for follow-up questions.

Responsible disclosure

If you're a security researcher and you've found something, please email security@loonieledgr.ca (PGP key on request). We'll respond within 48 hours, work with you on a fix timeline, and publicly acknowledge your contribution if you'd like.

We don't currently run a bug bounty, but for severe vulnerabilities (account takeover, data exfiltration) we offer cash rewards on a case-by-case basis.

Last updated May 24, 2026.