Your data is protected. Here's exactly how.

When you log into your RBC or TD business account online you are trusting a website with your business banking, payroll account, line of credit, and full transaction history.

OfficeEaze uses the same AES-256-GCM encryption standard your bank uses. Your data is stored in Canada. Your account is completely isolated from every other business on the platform — the same way your bank account is yours and nobody else's.

If you trust online banking — the security model is the same.

The following information is encrypted using AES-256-GCM with a separate dedicated encryption key for each category. Encryption keys are stored in secure server infrastructure — never in the database, never in the application bundle.

• Employee Social Insurance Numbers

  Encrypted before storage. Never stored in plain text. Displayed as XXX-XXX-XXXX by default. Full number only revealed after re-authentication and is logged.
• Employee banking details

  Encrypted separately from SINs with their own key. Only decrypted server-side when generating direct deposit files.
• Dates of birth

  Encrypted at rest.
• Medical information

  Encrypted at rest.
• OAuth tokens (Gmail and Outlook integrations)

  Encrypted at rest. Never logged or exposed.
• All data in transit

  TLS encryption between your browser and our servers. Data is never transmitted in plain text.

All employee records, payroll data, and documents are stored in the Canadian data centre region (ca-central-1 — Montreal, Canada) operated by Supabase. This means your employees' information is governed by Canadian law — not US surveillance legislation.

OfficeEaze is a trade name of Lou Squared Systems Inc., incorporated federally under the Canada Business Corporations Act. We are a Canadian company subject to Canadian law. Your employees' data does not leave Canada for storage or processing.

Some service providers process limited technical data outside Canada — for example the AI model that powers your AI assistant, our email delivery service, and our SMS provider. These providers handle only what is necessary for their specific function and never receive SINs, banking details, or sensitive personal information. Full details are on our Subprocessors page.

View subprocessors →

Every employer account is a sealed environment. Row-level security is enforced at the database layer on every single table — it is architecturally impossible for one employer's data to be accessed by another.

Your AI assistant only ever sees your company's information. It cannot access, reference, or speculate about any other business's data — regardless of what is asked. This is enforced at the system level — not just by instruction.

Every AI assistant conversation is completely isolated to your account. Anthropic, the company that powers the AI assistant, does not use your business data to train AI models.

Your AI assistant

Every time you ask your AI assistant a question the conversation is processed by Anthropic — the company that builds the AI model powering your assistant.

Here is exactly what Anthropic receives:

• Your question.
• Your company name, province, and industry.
• Your assistant's name.
• Summary business context: outstanding invoice count and total, current module you are viewing, and business health score summary.
• The AI assistant's response.

Here is what Anthropic never receives:

• Employee Social Insurance Numbers — never.
• Banking details — never.
• Payroll amounts — never.
• Employee names — never.
• Documents from your filing cabinet — never.
• Any encrypted field — never.

This is not a policy decision — it is a technical one. The AI assistant is never given access to sensitive personal data in the first place. It cannot share what it cannot see.

Anthropic does not use API conversations to train their models. Your business conversations with your AI assistant are not used to improve Claude.

Your documents and files

Documents uploaded to your filing cabinet — contracts, HR files, pay stubs, T4s, receipts — are stored encrypted in Canada.

• No AI model reads them.
• The AI assistant cannot access your filing cabinet.
• Anthropic never sees them.
• Lovable never sees them.

The only AI that touches a document is a brief classification step when you upload it — assigning it to the right folder. This uses a short description of the file only — not the content.

The platform itself

OfficeEaze is built on Lovable's platform. Lovable maintains SOC 2 Type II and ISO 27001:2022 certification.

We operate on Lovable's Business plan which includes a data training opt-out — meaning our code and configuration are not used to train Lovable's AI models.

Lovable's Data Processing Agreement and Transfer Impact Assessment are available at trust.lovable.dev.

The design decision to never give the AI assistant access to sensitive personal data was made deliberately — so that no AI model, now or in the future, can ever expose what it was never given.

For someone to access your employees' SINs or banking details in OfficeEaze they would need to:

1. Obtain your email address and password
2. Bypass two-factor authentication — a 6-digit code that only your phone can generate
3. Crack AES-256-GCM encryption on the specific fields they want — which would take longer than the age of the universe with current computing power

Compare that to accessing your current paper files:

1. Get a key to the cabinet. Or pick the lock. Or take a photo of the spreadsheet on your screen.

The filing cabinet is not more secure. It just feels more familiar.

• Daily automated backups

  Your data is backed up every day automatically.
• 30-day filing cabinet recovery

  Documents can be recovered for up to 30 days after deletion.
• Your data is yours

  Export everything at any time with one click from Settings → Export Data.
• If you cancel

  Your data is retained for the periods required by Canadian law (6 years for payroll records under the Income Tax Act) then securely deleted. Never sold. Never archived for our use.
• 30 days notice

  If OfficeEaze ever shut down we would give every customer 30 days notice and a complete data export. This commitment is in our Terms of Service.

OfficeEaze includes a built-in document retention policy system aligned with Canadian retention requirements:

• CRA financial records (T4s, payroll, remittance, receipts, invoices) — flagged after 7 years
• Workplace safety records (WSIB, WCB, incidents) — flagged after 10 years
• Former employee HR documents — flagged 4 years after the employee's last day
• Corporate records (articles, bylaws, minutes) — never flagged, kept permanently

Documents are never automatically deleted. When documents pass their retention threshold they are flagged for your review in the Filing Cabinet. You choose what to delete — nothing is removed without your explicit confirmation. CRA requires financial records be kept for a minimum of 6 years — OfficeEaze uses 7 years as a buffer.

Anyone can claim they take security seriously. We prove it.

We commit to annual independent penetration testing by a third-party Canadian security firm. Unlike automated scanners, penetration testing involves actual security professionals attempting to break into the system the same way a real attacker would.

Our first penetration test is scheduled for Q3 2026. A results summary will be published on this page after completion.

If you are an enterprise customer who needs security documentation before signing — email privacy@officeeaze.ca.

OfficeEaze has a signed Data Processing Agreement with Lovable Inc., our platform infrastructure provider (executed November 2025). This agreement contractually obligates Lovable to maintain SOC 2 Type II and ISO 27001 accreditations for the duration of our agreement, prohibits use of customer data for AI training, and governs data breach notification and deletion obligations.

A Data Processing Agreement is available to OfficeEaze customers on request — covering processing purposes, security obligations, sub-processor management, breach notification timelines, Canadian data residency, and data deletion on termination.

To request a DPA before subscribing, contact privacy@officeeaze.ca.

OfficeEaze uses Helcim Inc. for payment processing — a Canadian company headquartered in Calgary, Alberta, certified at PCI DSS Level 1, the highest level of payment card industry compliance.

Your card number, CVV, and banking details never touch OfficeEaze servers. When you enter payment information, it goes directly from your browser to Helcim's secure servers. Helcim returns a payment token — a reference ID with no payment value on its own — and that token is the only payment-related item stored in OfficeEaze.

What OfficeEaze stores: your billing name, plan type, subscription status, and Helcim's payment token.

What OfficeEaze never stores: card number, CVV, expiry date, full banking account number, or any raw payment credential.

Payment data processed by Helcim remains in Canada. Helcim's full security and compliance documentation is available at helcim.com/security.

• Two-factor authentication required

  All employer accounts must verify with a 6-digit code from an authenticator app. If access to the authenticator app is lost, account recovery is available via SMS to the verified phone number on file — no support ticket required.
• Session timeout

  Employer sessions automatically expire after 30 minutes of inactivity. All changes are saved automatically before logout.
• Strong password requirements

  Passwords must be a minimum of 12 characters and include uppercase, lowercase, a number, and a special character. Passwords are hashed and never stored in plain text.
• Full audit trail

  Every access to sensitive data is logged with timestamp, user identity, and IP address.
• Immutable audit logs

  Security, payroll, and permission logs cannot be modified or deleted even by administrators.
• Team member permissions

  Restrict what each team member can see and do. A scheduler does not see payroll. A bookkeeper does not see HR files.

We won't tell you we are 100% secure. No system is.

We won't tell you we are unhackable. Nothing is.

We won't use the phrase "military-grade encryption" — it is a marketing term that means nothing specific.

What we will tell you is that we built OfficeEaze the way we would want our own employees' data protected — with encryption on every sensitive field, Canadian data storage, independent security testing, a complete audit trail, and a team that reads every security question personally.

If you have a specific security question or concern email privacy@officeeaze.ca — Jennifer reads every one personally.