Security

Our Commitment

We understand that CRA letters contain sensitive personal and financial information.
At Letterwise, security is not an afterthought — it is fundamental to how we design and operate our service.

Encryption

In transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3.

At rest: Your CRA letter content and its interpretations are encrypted in our database.

Payments: All payment processing is handled by Stripe, which is PCI DSS Level 1 certified — the highest level of payment security certification.

Authentication

User authentication is managed by Clerk, an enterprise-grade identity platform.
We support secure sign-in methods and never store passwords directly on our servers.

Infrastructure

• Hosted on secure infrastructure compliant with SOC 2
• Database with automated backups and point-in-time recovery
• No CRA letter content is stored in browser local storage or cookies
• API endpoints are rate-limited to prevent abuse

PIPEDA Compliance

Letterwise complies with the Personal Information Protection and Electronic Documents Act (PIPEDA). This means:

• We collect only the information necessary to provide our service
• We obtain your consent before collecting personal information
• You can access, correct, or delete your data at any time
• We are transparent about how your data is used
• We implement appropriate safeguards to protect your information

Data Deletion

You retain full control over your data.
You may delete individual interpretations or your entire account at any time.
When data is deleted, it is permanently removed from our systems within a maximum of 30 days, including all backups.

Responsible Disclosure

If you discover a security vulnerability, please contact us at:
security@letterwise.ca

We take all reports seriously and will respond promptly.