Security & Trust

Your tax documents contain some of your most sensitive personal and financial information. Here is exactly how TaxTrack protects it — no marketing speak.

Active protections

TLS 1.3 encryption in transit

✓ Active

All data between your browser and TaxTrack servers is encrypted with TLS 1.3 — the same standard used by major Canadian banks. Your documents and session data are never transmitted in plaintext.

Row-Level Security data isolation

✓ Active

Every table in our database enforces Supabase Row-Level Security (RLS). Database queries are scoped to your user ID at the server level — it is architecturally impossible for one user's query to return another user's documents or financial data.

Payments by Stripe — PCI DSS Level 1

✓ Active

TaxTrack never sees your credit card number. All payment processing is handled directly by Stripe, which holds PCI DSS Level 1 certification — the highest standard in the payments industry. We only receive a subscription status and an anonymised customer ID.

Data stored in Canada

✓ Active

Your documents, tax profile, and financial data are stored on Canadian infrastructure. We comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Ontario privacy law. Data never leaves Canada for storage.

Cloudflare WAF and DDoS protection

✓ Active

All traffic to TaxTrack passes through Cloudflare's Web Application Firewall, which blocks known attack patterns, SQL injection attempts, and DDoS traffic before it reaches our servers. This protection is always on and requires no action from you.

You control your data

✓ Active

You can request deletion of your account and all associated data at any time by emailing hello@taxtrackai.com. We delete personal data within 30 days of a deletion request, except where retention is required by law (billing records, 7 years per CRA requirements). You can also export your data in JSON format on request.

Built on enterprise-grade infrastructure

Supabase

SOC 2

SOC 2 Type II certified database & auth

Cloudflare

WAF

Enterprise WAF, DDoS protection & TLS

Stripe

PCI Level 1

PCI DSS Level 1 payment processing

Anthropic

No training

Enterprise API — no training on your data

On our security roadmap

○

Independent penetration test by accredited Canadian security firmQ3 2026

○

SOC 2 Type II certification processQ4 2026

○

CRA NETFILE certification (applying November 2026)Target Feb 2027

○

ISO 27001 information security management certification path2027

○

EFILE certification for tax professionals filing on behalf of clients2027

What TaxTrack does not yet have

TaxTrack is in beta. We have not yet completed an independent security audit, and we are not yet CRA NETFILE certified. We are transparent about this. Our security measures are robust for a beta product, but we will not claim certifications we have not earned. We are building toward those milestones and will update this page as we achieve them.

What you can do to stay secure

→

Enable two-factor authentication (2FA) on your account — takes 60 secondsEnable in settings →

→

Use a strong, unique password — or a password manager like 1Password or Bitwarden

→

Do not share your account — each person should have their own login

→

Log out after using TaxTrack on a shared or public device

→

Review your uploaded documents and delete any you no longer needManage documents →

→

Check your notifications regularly — Eldon flags anything that needs attention

Have a security question or concern?

Found a vulnerability? Please disclose responsibly.

Email us → hello@taxtrackai.com