Security and compliance overview

Encryption

All data is encrypted:

• At rest: AES-256 encryption for all stored files and database records
• In transit: TLS 1.3 for all connections between your browser and our servers
• Files: Uploaded documents go directly to encrypted object storage — they never pass through our application servers unencrypted

Data residency

When you set up your account, you choose your region (Canada or United States). Your files and database records are stored in data centers in that region:

• Canada: Files stored in Cloudflare R2 Canadian zone, database in Neon ca-central-1
• United States: Files stored in Cloudflare R2 US East, database in Neon us-east-1

This is relevant for PIPEDA compliance (Canada) and data residency requirements.

Access controls

• Only your firm members can access your firm's data
• Clients can only see their own portal — they cannot see other clients' information
• Each client has a unique portal token — guessing another client's URL is not possible
• Session tokens expire after 30 days, or after 7 days of inactivity

Audit log

Every action in the system is logged:

• Document uploaded (by whom, from which IP, at what time)
• Request created, updated
• Document approved or rejected
• Team member actions

The audit log is available in Settings → Data & Privacy → Activity log and can be exported as CSV.

PIPEDA alignment

For Canadian practices, our architecture is designed to meet PIPEDA obligations:

• Data residency in Canada
• Explicit consent for data collection (captured during client portal onboarding)
• Data export and deletion tools (Settings → Data & Privacy)
• Audit trail for all access events

Reporting a security issue

If you believe you have found a security vulnerability, contact us at security@idutax.com. We commit to acknowledging reports within 24 hours.