Trust model
Trust Center
Transparency, security, and privacy-aware practices.
Our controls, boundaries, and subprocessors in plain terms.
- Data boundary: records stay in your account.
- Human review: you confirm before output.
- OPTAX does not file with CRA — you submit the reviewed package yourself.
- Audit readback: records and rationale stay reviewable.
- No public training: your content never trains models.
Controls and boundaries
Security Controls Roadmap
Security controls roadmap in progress
PIPEDA
Privacy program built on Canadian privacy principles.
Authorized Subprocessors
Selected subprocessors for hosting, payments, and bank connections.
Google Cloud
Cloud infrastructure (Montreal/Toronto)
Stripe
Payment processing
Plaid
Banking integration
What people ask before trusting us
Honest answers, with no certifications or numbers we haven't earned.
- Do you have third-party security certifications yet?
- Not yet, and we won't claim assurances we haven't completed. Our security controls roadmap is in progress, and we keep every statement conservative.
- Which core service providers do you name?
- We name our core providers for hosting, payments, and bank connections — Google Cloud (Montreal/Toronto), Stripe, and Plaid. AI and data-processing providers, plus analytics, are covered in our Privacy and AI Data Processing pages.
- Do you sell or train on my financial data?
- No. Our privacy program follows Canadian privacy principles, and your content is never sold or used to train public AI models.
- Where does OPTAX stop, and where do my CPA and the CRA come in?
- OPTAX prepares an owner-reviewed, review-ready package. Bring a CPA in for review or handoff when a return is complex; you or your authorized representative submit to the CRA.