Data & Security
Tax data is among the most sensitive information a company holds. Before we talk about what AI can do for your tax function, here is exactly how we protect what you share with us.
Most of our work needs the shape of your files, not the data inside them. Wherever it works, we build and test against sanitized structures and dummy values, so real client data often never has to be involved at all.
We use established AI tools on paid plans with model-training turned off, never free or consumer accounts. Nothing you share is used to train a model.
When real data is genuinely needed, we take the least the task requires, keep it in secured cloud workspace rather than on local machines, and return or delete engagement materials when the work concludes.
As a licensed CPA, confidentiality is bound by the CPA Rules of Professional Conduct, not only by contract. It is also covered by your engagement letter, and we are glad to sign your NDA or data processing agreement on request.
We are deliberate about which tools touch client work. AI assistance comes from established providers (Anthropic, OpenAI, and Google) on paid plans with model-training disabled, never free or consumer accounts; those providers maintain their own SOC 2 security programs. We also use Microsoft 365 and GitHub as everyday tooling, but not their AI assistants, and only code, never client data, ever goes into version control. We use these tools to build automations, not as a place to warehouse your data. Most major AI providers process data in the United States, so some processing happens outside Canada; we do not claim Canadian data residency unless an engagement specifically arranges it.
Our practices follow the principles of Canadian privacy law, PIPEDA federally and BC's PIPA provincially: accountability, limited collection, limited use and retention, and safeguards proportionate to how sensitive the information is. In practice most engagement data is corporate information, not personal information; where personal information could be involved, we minimize it or design it out with dummy data. When an automation is meant to run on live personal data on an ongoing basis, it is built to run inside the client firm's own environment, where the firm operates it. InnovataxAI is led by a licensed CPA, so client work carries professional confidentiality obligations under the CPA Rules of Professional Conduct.
Every tax function has its own security requirements. If your team needs specific controls, a signed NDA or data processing agreement, tool restrictions, access logging, or a security review by your IT group, raise it in the first conversation and we will design the engagement around it.
Ask it before any engagement begins, we'd rather earn trust early.
