Back to MetaTax
Last updated: June 9, 2026

Security

Your bank statements, payroll records, and tax data deserve serious protection. Here's exactly how we provide it.

Encryption

  • In transit: TLS 1.3 on all connections — enforced via HSTS preload
  • At rest: AES-256 on Supabase managed Postgres + AWS S3 file storage
  • Sensitive PII (SIN): Column-level encryption with pgcrypto symmetric keys — only the application can decrypt, never the database administrator
  • Passwords: bcrypt-hashed with per-user salt; we never see or store plaintext

Access control

  • Row-Level Security (RLS) policy on every database table — no query can return another user's data, even if the application code is wrong
  • Magic-number file validation on uploads — Content-Type headers aren't trusted
  • Signed URLs for receipt downloads with 60-second TTL — no hot-linkable file paths
  • Server-side Action Origin allowlist — protects against CSRF
  • Auto sign-out after 30 minutes of inactivity

Audit logging

  • Every meaningful action (sign-in, upload, expense, employee added, account deletion) is logged with a tamper-evident timestamp
  • You can see your own activity log in Settings → Privacy
  • Audit log retained 24 months, then auto-purged
  • Server-side request logs from Vercel retained 30 days

Data residency

  • Database: Supabase managed Postgres in ca-central-1 (Toronto)
  • File storage: AWS S3 in Canada Central
  • Application servers: Vercel Edge in Washington DC (USA) — required for global low-latency. Database queries flow over an encrypted private connection
  • AI processing: Anthropic Claude API — only redacted merchant strings sent; never amounts, names, SINs, or account numbers

Operational security

  • Production secrets managed via Vercel environment variables — never committed to source control
  • Dependency vulnerability scanning on every commit via GitHub CodeQL
  • Weekly npm audit with high-severity blocks deployment
  • Annual penetration testing by an independent third party
  • Backup and recovery: Supabase managed daily backups with 7-day retention

Compliance

  • PIPEDA-compliant data handling (see Privacy Policy)
  • CRA-aligned tax calculation formulas (T4127, T2 GIFI Schedule 100/125)
  • Aligned with CSA's Industry Best Practices for Canadian SaaS
  • Working toward SOC 2 Type II — target Q3 2027

Found a vulnerability?

Email security@metatax.ca with details and reproduction steps. We respond within 14 days. We don't pay bounties yet but we publicly thank researchers in the next release notes.