SR&ED Copilot - Evidence capture and claim preparation for Canadian R&D tax credits

Overview

SR&ED Copilot handles sensitive business data including R&D evidence, financial records, and integration credentials. This page describes exactly how we protect that data, what we do and do not guarantee, and where our security posture is still maturing.

Honesty note: We are an early-stage product. Our security practices are appropriate for our stage but are not yet independently audited or certified. We are transparent about what is in place and what is planned.

Data Encryption

What	Protection	Status
Data in transit	TLS 1.2+ (enforced by hosting platform)	Active
Data at rest	Hosting platform disk encryption	Active
OAuth tokens	Application-level encryption in database	Active
Passwords	bcrypt hashing (never stored in plaintext)	Active
Payment data	Delegated to Stripe (PCI DSS compliant). Stripe billing not yet active during early access.	Active
Application-level field encryption	Individual sensitive fields encrypted in DB	Planned

Authentication & Access Control

JWT-based authentication with secure token handling
Role-based access control with three roles:
- Owner: Full access to all project data, settings, billing, and user management
- Accountant: Read access to projects, evidence, narratives, and exports. Cannot modify integrations or billing.
- Member: Read/write access to assigned projects and evidence. Cannot access billing or user management.
Rate limiting on authentication and API endpoints
Audit logging on sensitive operations (logins, data exports, narrative generation, account changes)

Data Flow: AI Narrative Generation

When you generate T661 narratives, here is exactly what happens with your data:

You select which evidence items to include in generation
Selected evidence (titles, summaries, dates, tags) is sent to your chosen AI provider
The AI provider processes your data and returns generated narrative text
The generated narrative is stored in our database, linked to your project
No data is retained by the AI provider for model training (per our agreements)

AI Provider	Data Sent	Training Use
Cohere (default)	Selected evidence text + generation prompt	Not used for training
Anthropic (Claude)	Selected evidence text + generation prompt	Not used for training
OpenAI (GPT-4)	Selected evidence text + generation prompt	Not used for training (API terms)

BYOK (Bring Your Own Key) users: your API key is stored encrypted in your browser's local storage and sent directly with each request. We do not store your API keys on our servers.

Data Flow: Integrations

When you connect GitHub, Jira, or Slack:

You authorize access via OAuth with the minimum required scopes
OAuth tokens are encrypted and stored in our database
We fetch only the data types you authorize (commits, issues, messages)
Fetched data is stored as evidence items in your project
You can disconnect integrations at any time, which revokes our access
Disconnecting does not delete previously imported evidence (you can delete it manually)

Data Residency

Current state: Our infrastructure is hosted on managed cloud services. Data may be processed in the United States or Canada depending on provider region.

Goal: Canadian data residency for all customer data. This is a future objective, not a current guarantee. If Canadian data residency is a hard requirement for your organization, contact us to discuss your needs.

What We Do NOT Do

We do not sell your data to third parties
We do not use your data to train AI models
We do not access your data for purposes beyond providing the Service
We do not store credit card numbers (Stripe handles all payment data)
We do not share data between organizations on our platform
We do not retain data after account deletion beyond the 30-day backup window

Incident Response

In the event of a data breach or security incident:

We will notify affected users via email within 72 hours of confirmed breach
We will provide details on what data was affected and what steps we are taking
We will report to relevant authorities as required by law
We will publish a post-incident report

Security Maturity: Honest Assessment

Capability	Status
TLS encryption in transit	In place
Encryption at rest (hosting platform)	In place
OAuth token encryption	In place
Role-based access control	In place
Audit logging	In place
Rate limiting	In place
Canadian data residency	Planned
SOC 2 Type II	Not yet
Independent penetration testing	Not yet
PIPEDA formal compliance certification	Not yet

Contact

For security questions, vulnerability reports, or data handling inquiries:

Email: hello@sredcopilot.ca

Security & Data Handling