Data Protection
Your data, fully protected
Every piece of client data is encrypted, authenticated, and access-controlled from the moment it enters Cram.
Encryption
All data is encrypted at rest using AES-256 and protected in transit with TLS 1.3. Your clients' financial documents are secured from the moment they are uploaded.
Authentication
Secure login with robust session management and support for multi-factor authentication. Every session is validated and expired credentials are automatically revoked.
Role-Based Access
Clients, staff members, and administrators each operate within scoped permissions. Every user sees only the data they are authorized to access.
Access Control
Strict boundaries, zero leakage
Cram enforces access boundaries at the database level. Row Level Security policies ensure that every query is scoped to the authenticated user's permissions — no exceptions.
- Clients can only view their own documents, messages, and requests
- Accountants are scoped to their firm's data through enforced database policies
- No cross-client or cross-firm data leakage is possible at the query level
- Every API request is authenticated and authorized before execution
File Security
Every document, secured end to end
Files are validated, encrypted, and stored in private buckets with time-limited access links.
Private Storage by Default
All uploaded files are stored in isolated, access-controlled buckets. Nothing is publicly accessible unless explicitly shared through a secure link.
Signed URLs for Secure Access
File downloads use short-lived, cryptographically signed URLs. Access expires automatically, preventing unauthorized sharing or link re-use.
Server-Side File Validation
Every upload is validated on the server for file type, size, and content integrity before being accepted into storage.
Infrastructure
Secure cloud architecture
Cram runs on Supabase and Vercel — infrastructure providers chosen for their security posture, compliance certifications, and reliability track records.
Best Practices
Security at every layer
From code to deployment, every part of the stack follows security best practices.
- No sensitive data is ever included in client-side JavaScript bundles
- Audit logs capture every critical action with timestamps and user context
- Input validation is enforced on all mutations at both client and server layers
- Secure HTTP headers and CSRF protection are enabled on every route
- Dependency vulnerability scanning runs on every build and deployment
Designed for accountants handling sensitive financial data
Every feature in Cram is built with the understanding that accounting firms handle some of the most sensitive personal and financial information in any industry. Security is not an afterthought — it is a design constraint.
Sensitive Data
Sensitive information, handled with care
Tax preparation requires sensitive information like Social Insurance Numbers. Cram is built to collect, store, and manage this data with the care it deserves.
Encrypted at rest and in transit
Sensitive fields are encrypted before storage using industry-standard methods. Data in transit is protected with TLS 1.3.
Masked by default
Sensitive values like SIN are never displayed in full. Only the last three digits are shown unless an authorized user explicitly requests access.
Access is restricted and logged
Only authorized team members can reveal sensitive information. Every access event is recorded with who, when, and what was accessed.
Collected separately and securely
Sensitive identifiers are collected through a dedicated secure flow, not mixed into general questionnaires or intake forms.
Common Questions
Security FAQ
Why do you collect my Social Insurance Number?
Your accountant needs your SIN to file tax returns with the CRA on your behalf. It is a required field on most Canadian tax forms. We collect it through a dedicated secure flow, separate from other intake questions.
Is my SIN stored securely?
Yes. Your SIN is encrypted before it is stored and is never saved as plain text. It is kept in a separate, restricted data store with its own access controls and audit logging.
Who can see my full SIN?
By default, your SIN is masked and only the last three digits are visible. Your accountant can request temporary access to the full number, and every access event is logged with a timestamp and the name of the person who viewed it.
Do you collect sensitive information by email?
No. We never ask clients to send sensitive information by email. All sensitive data is collected through the secure client portal, which uses encrypted connections and role-based access controls.
Can other clients see my information?
Absolutely not. Every client can only see their own data. Access is enforced at the database level so there is no possibility of cross-client data visibility.
What happens to my data after filing is complete?
Your accountant can archive or remove sensitive data after the filing period. We recommend discussing retention preferences with your accountant directly.