Skip to main content
memo.tax

Compliance

Compliance

Last updated: May 2026

memo.tax is built with security, privacy, and accessibility as design constraints, not as afterthoughts. This page summarises the standards we follow and the controls we have in place. We’re a small team, so we’re honest about the difference between “aligned with” and “formally certified.”

Standards summary

PIPEDA — Personal Information Protection and Electronic Documents Act
We operate under Canada’s federal private-sector privacy law. We follow the ten Fair Information Principles. See our Privacy Policy for specifics.
OWASP Top 10
Protections in place across all ten categories — access control, cryptographic strength, injection prevention, secure design, configuration hardening, dependency management, authentication, data integrity, logging, and request-scope controls. Detailed mappings are available to enterprise procurement on request.
WCAG 2.1 Level AA
Web Content Accessibility Guidelines, Level AA. Detail and known limitations on the Accessibility page.
W3C web standards
Pages render in HTML5 standards mode with semantic markup, mobile-first responsive design, and pass W3C markup validation.
SOC 2 — aligned, not certified
We follow SOC 2 control principles (security, availability, processing integrity, confidentiality, privacy) for how we run servers, manage code, handle access, and respond to incidents. We are not formally audited or certified to SOC 2 today — that’s a roadmap item once enterprise customers ask for the report. If you need a SOC 2 Type II report, contact us and we’ll discuss timeline.

Sub-processors and data residency

memo.tax uses third-party providers for AI inference, hosting, edge security, payment processing, and analytics. Categories and operating regions:

  • AI model and embedding provider — United States
  • Cloud hosting provider — Canada
  • Edge CDN and DDoS protection — global, primarily United States and Canada points of presence
  • Payment processor (Stripe) — United States, PCI DSS Level 1
  • Analytics provider (public pages only) — United States, IP anonymisation enabled
  • Bot challenge provider (signup/login only) — global edge

Specific vendor names and their security/privacy attestations are provided to enterprise procurement and qualified regulatory contacts on request at privacy@memo.tax. We don’t list them publicly to reduce targeted-attack surface.

Cross-border transfer notice: Several sub-processors operate outside Canada. By using memo.tax, you consent to the transfer of your data outside Canada for the purposes described in our Privacy Policy.

Operational controls

  • Access control: production access limited to the operator. Admin actions require explicit authorisation, not a generic signed-in session.
  • Encryption: TLS in transit (HSTS preload), encrypted volumes at rest, one-way password hashing.
  • Audit logging: sign-ins, admin actions, and authentication failures logged with timestamp and source IP.
  • Backups: daily, 30-day retention, restore tested at least quarterly.
  • Patching: pinned dependency versions; security advisories monitored; critical CVEs patched within 7 days.
  • Incident response: 48-hour acknowledgement target; breach notification per PIPEDA where applicable.
  • Vendor due diligence: sub-processors reviewed for security and privacy posture before adoption.

Application-level controls

  • Citation verifier — fails closed. Hallucinated section references are refused, not served.
  • Truncation guard. Cut-off model outputs are refused and not cached.
  • Rate limiting on the AI endpoint and authentication routes.
  • Strict security headers set on every response.
  • Robots policy blocks AI-training crawlers from harvesting our outputs.

What we’re still working on

Honest list, not a roadmap promise:

  • Formal SOC 2 Type II audit (deferred until enterprise demand justifies the cost)
  • Multi-factor authentication for end users
  • Public security disclosure ledger
  • Additional language coverage (French parity is a roadmap item)
  • Subprocessor change-notification mailing list (today: posted here, with email to subscribers planned)

Reporting issues

Privacy
privacy@memo.tax — rights requests, complaints, breach notifications
Security
security@memo.tax — vulnerability disclosure (acknowledged within 48 hours)
Accessibility
accessibility@memo.tax — barriers, screen-reader issues, contrast problems
General
hello@memo.tax

See also: Privacy · Terms · Security · Disclaimer · Accessibility · Compliance