Enterprise-grade security and privacy practices designed for CPA firms across the US and Canada handling sensitive tax and financial data — aligned with PIPEDA, CCPA, GLBA, and IRS Publication 4557.
Multiple layers of encryption and security ensure your clients' sensitive financial information is protected at all times.
All data transmitted between your browser and our servers is protected with TLS 1.2+ encryption. Every API call, file upload, and page load is secured with industry-standard transport layer security.
All stored data, including client records, tax documents, and financial information, is encrypted using AES-256 encryption. Even in the unlikely event of unauthorized physical access, your data remains unreadable.
Your data is hosted on Microsoft Azure with regional redundancy. Canadian tenants can elect Canadian Azure regions to satisfy data residency expectations; US tenants can elect US Azure regions for IRS Publication 4557 alignment. Your clients' information stays within your chosen jurisdiction unless you explicitly export it.
Each firm's SMTP, SMS, and integration credentials are encrypted with dedicated AES-256 keys. Credentials are decrypted only at the moment of use and never stored in plaintext or shared between firms.
Your data is automatically backed up on a regular schedule with point-in-time recovery capabilities. Backups are encrypted and stored in geographically separate locations to protect against data loss from any single point of failure.
Ensure the right people see the right data with role-based permissions, two-factor authentication, and comprehensive audit trails.
Four distinct permission levels ensure staff only access what they need.
Protect accounts with OTP verification delivered via email or SMS for every login.
Automatic session timeouts and comprehensive logging of all user activity.
Every office and branch on MyCPACRM operates in a completely isolated environment. There is zero possibility of data crossing between offices.
Every database query is automatically filtered by firm. It is architecturally impossible for one firm to access another firm's client data, filings, documents, or communications.
Each firm configures their own email server and SMS provider. Client communications are always sent from your firm's own credentials, never from a shared system or another firm's configuration.
Document uploads and file storage are organized into firm-specific buckets. Access controls ensure documents uploaded by one firm cannot be accessed or enumerated by any other firm.
Background jobs, automated reminders, and scheduled tasks all verify firm context before execution. Each operation is scoped to a single firm with explicit security checks to prevent any cross-contamination.
MyCPACRM is designed from the ground up to meet the privacy expectations of accounting firms in both Canada and the US. Canadian firms get alignment with the Personal Information Protection and Electronic Documents Act (PIPEDA) — Canada's federal privacy law governing how private-sector organizations collect, use, and disclose personal information.
US firms get alignment with the California Consumer Privacy Act (CCPA / CPRA), Virginia's VCCPA and similar state laws, the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule for financial institutions, and IRS Publication 4557 ("Safeguarding Taxpayer Data") — the IRS's specific guidance for tax practitioners.
All personally identifiable information — SSN and EIN (US), SIN and BN (Canada), addresses, banking, and financial data — is encrypted and access-controlled at the field level.
Clients can request access to their personal information and have inaccuracies corrected at any time.
Export client data in CSV and PDF formats for portability, regulatory review, or migration purposes.
Configurable retention policies ensure data is kept only as long as necessary and securely disposed of when no longer required.
Track and manage client consent for data collection, email communications, and SMS reminders with clear opt-in and opt-out controls.
Security and privacy considerations are built into every feature from the architectural design phase, not bolted on after the fact.
Built on modern, hardened infrastructure with multiple layers of protection to ensure your practice runs without interruption.
Hosted on enterprise-grade cloud infrastructure
Continuous security patches and updates
Protection against distributed attacks
All connections encrypted end-to-end
Automated alerting and uptime monitoring
MyCPACRM aligns with the security frameworks and compliance standards that matter most to accounting firms across the US and Canada.
Aligned with the Personal Information Protection and Electronic Documents Act (Canada's federal privacy law) and CPA Canada's data-handling best practices for professional accounting engagements.
Aligned with the California Consumer Privacy Act (CCPA / CPRA) and similar state privacy laws, the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, and IRS Publication 4557 — the IRS's data-security guidance for tax practitioners.
Protected against the OWASP Top 10 most critical web application security risks, including injection attacks, broken authentication, cross-site scripting, and insecure deserialization.
Common questions about how we protect your data.
Your data is stored on Microsoft Azure with regional redundancy. Canadian tenants can elect Canadian Azure regions; US tenants can elect US Azure regions, satisfying data-residency expectations under PIPEDA in Canada and IRS Publication 4557 in the US. All data at rest is encrypted with AES-256, all transit with TLS 1.3, and we maintain regular encrypted backups (30-day retention). Your client information never leaves your chosen jurisdiction unless you explicitly export it.
Only authorized users within your firm can access your client data, based on their assigned role (Admin, Manager, Staff, or ReadOnly). MyCPACRM support staff do not have access to your client data. Our architecture ensures complete isolation between offices, and all access is protected by two-factor authentication.
If you cancel, you will have a grace period to export all your data in standard formats (CSV, PDF). After the grace period, your data is securely deleted from our servers and backups in accordance with our data retention policy. We provide clear instructions and tools to ensure a smooth transition.
Absolutely not. We will never sell, share, rent, or trade your client data to any third party. Your data is yours. We only process it as necessary to provide the MyCPACRM service to your firm, and we are fully transparent about our data practices in our Privacy Policy.
We're happy to discuss our security measures in detail. Reach out to learn how MyCPACRM keeps your firm's data safe.