Security

How we protect your data

Our Commitment

We understand that CRA letters contain sensitive personal and financial information. Security is not an afterthought at Letterwise — it is fundamental to how we build and operate our service.

Encryption

  • In transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3.
  • At rest: Your CRA letter content and interpretations are encrypted in our database.
  • Payments: All payment processing is handled by Stripe, which is PCI DSS Level 1 certified — the highest level of payment security certification.

Authentication

User authentication is managed by Clerk, an enterprise-grade identity platform. We support secure sign-in methods and never store passwords directly on our servers.

Infrastructure

  • Hosted on Vercel's secure, SOC 2 compliant infrastructure
  • Database hosted on Neon with automated backups and point-in-time recovery
  • No CRA letter content is stored in browser local storage or cookies
  • API endpoints are rate-limited to prevent abuse

PIPEDA Compliance

Letterwise complies with the Personal Information Protection and Electronic Documents Act (PIPEDA). This means:

  • We only collect information necessary to provide our service
  • We obtain your consent before collecting personal information
  • You can access, correct, or delete your data at any time
  • We are transparent about how your data is used
  • We have safeguards to protect your information

Data Deletion

You have full control over your data. You can delete individual interpretations or your entire account at any time. When data is deleted, it is permanently removed from our systems within 30 days, including all backups.

Responsible Disclosure

If you discover a security vulnerability, please contact us at security@letterwise.ca. We take all reports seriously and will respond promptly.

← Back to home