Security at AgentCRA
You're trusting us with financial records. Here's how we protect them.
Encryption
- All traffic is encrypted in transit with TLS.
- Connected email-account tokens are encrypted at rest (Fernet symmetric encryption) — a database copy alone cannot read your inbox.
- Passwords are stored as salted hashes and checked against the HaveIBeenPwned breach database at signup — known-breached passwords are rejected.
Payments
All payments are processed by Stripe (PCI-DSS Level 1). Your card number never touches our servers.
Account protection
- Optional two-factor authentication (TOTP authenticator apps) with single-use backup codes.
- Rate-limited logins and automatic idle-session timeout.
- Strong password policy enforced at signup and on every reset.
Tenant isolation
Every record is scoped to your corporation. Accountants see only the clients who explicitly linked them, through scoped, expiring access links.
Email access, minimized
If you connect Gmail or Outlook we request read-only scopes, search only for receipts, and store only the receipt data — never your full inbox. Disconnect anytime in Settings; we discard the tokens immediately.
Backups & monitoring
Databases are backed up daily with off-site copies. Errors are monitored around the clock (Sentry) so problems are caught before you notice them.
Found a vulnerability?
Email security@agentcra.ca. We respond within 48 hours and appreciate responsible disclosure.