Enterprise-grade security and PIPEDA compliance designed specifically for CPA firms handling sensitive tax and financial data across Canada.
Multiple layers of encryption and security ensure your clients' sensitive financial information is protected at all times.
All data transmitted between your browser and our servers is protected with TLS 1.2+ encryption. Every API call, file upload, and page load is secured with industry-standard transport layer security.
All stored data, including client records, tax documents, and financial information, is encrypted using AES-256 encryption. Even in the unlikely event of unauthorized physical access, your data remains unreadable.
Your data is hosted on secure infrastructure in Canada, ensuring compliance with Canadian data residency requirements. Your clients' information never leaves Canadian jurisdiction without your explicit consent.
Each firm's SMTP, SMS, and integration credentials are encrypted with dedicated AES-256 keys. Credentials are decrypted only at the moment of use and never stored in plaintext or shared between firms.
Your data is automatically backed up on a regular schedule with point-in-time recovery capabilities. Backups are encrypted and stored in geographically separate locations to protect against data loss from any single point of failure.
Ensure the right people see the right data with role-based permissions, two-factor authentication, and comprehensive audit trails.
Four distinct permission levels ensure staff only access what they need.
Protect accounts with OTP verification delivered via email or SMS for every login.
Automatic session timeouts and comprehensive logging of all user activity.
Every office and branch on MyCPACRM operates in a completely isolated environment. There is zero possibility of data crossing between offices.
Every database query is automatically filtered by firm. It is architecturally impossible for one firm to access another firm's client data, filings, documents, or communications.
Each firm configures their own email server and SMS provider. Client communications are always sent from your firm's own credentials, never from a shared system or another firm's configuration.
Document uploads and file storage are organized into firm-specific buckets. Access controls ensure documents uploaded by one firm cannot be accessed or enumerated by any other firm.
Background jobs, automated reminders, and scheduled tasks all verify firm context before execution. Each operation is scoped to a single firm with explicit security checks to prevent any cross-contamination.
MyCPACRM is designed from the ground up to meet the requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA), the federal privacy law governing how private-sector organizations collect, use, and disclose personal information.
All personally identifiable information (SIN, BN, addresses, financial data) is encrypted and access-controlled.
Clients can request access to their personal information and have inaccuracies corrected at any time.
Export client data in CSV and PDF formats for portability, regulatory review, or migration purposes.
Configurable retention policies ensure data is kept only as long as necessary and securely disposed of when no longer required.
Track and manage client consent for data collection, email communications, and SMS reminders with clear opt-in and opt-out controls.
Security and privacy considerations are built into every feature from the architectural design phase, not bolted on after the fact.
Built on modern, hardened infrastructure with multiple layers of protection to ensure your practice runs without interruption.
Hosted on enterprise-grade cloud infrastructure
Continuous security patches and updates
Protection against distributed attacks
All connections encrypted end-to-end
Automated alerting and uptime monitoring
MyCPACRM aligns with the security frameworks and compliance standards that matter most to Canadian accounting firms.
Fully compliant with the Personal Information Protection and Electronic Documents Act, Canada's federal privacy legislation governing how private-sector organizations handle personal information.
Designed to align with CPA Canada's data handling best practices and guidelines for protecting client information in professional accounting engagements.
Protected against the OWASP Top 10 most critical web application security risks, including injection attacks, broken authentication, cross-site scripting, and insecure deserialization.
Common questions about how we protect your data.
Your data is stored on secure servers hosted in Canada. All data at rest is encrypted with AES-256 encryption, and we maintain regular encrypted backups. Your client information never leaves Canadian jurisdiction unless you explicitly choose to export it.
Only authorized users within your firm can access your client data, based on their assigned role (Admin, Manager, Staff, or ReadOnly). MyCPACRM support staff do not have access to your client data. Our architecture ensures complete isolation between offices, and all access is protected by two-factor authentication.
If you cancel, you will have a grace period to export all your data in standard formats (CSV, PDF). After the grace period, your data is securely deleted from our servers and backups in accordance with our data retention policy. We provide clear instructions and tools to ensure a smooth transition.
Absolutely not. We will never sell, share, rent, or trade your client data to any third party. Your data is yours. We only process it as necessary to provide the MyCPACRM service to your firm, and we are fully transparent about our data practices in our Privacy Policy.
We're happy to discuss our security measures in detail. Reach out to learn how MyCPACRM keeps your firm's data safe.