ClerraClerra home

Built to be trusted with a firm's whole book

Clerra holds tax documents and financial records for many firms and their clients. Security isn't a feature we added — it's the foundation everything else sits on.

Your data stays in Canada

Everything — your client records, documents and backups — lives in Canadian data centres (AWS Canada Central, Montréal). It never crosses the border, which matters for PIPEDA and for the clients who ask you where their tax documents actually are.

Firms are isolated at the database

Every row of data is locked to your firm by row-level security enforced inside the database itself — not just in application code. No bug, no misconfigured screen, no clever request can show one firm another firm's data.

Clients see only what's theirs

The client portal is a separate trust zone. A client sees their own document checklist and the files you've chosen to share — never your notes, your other clients, your team's workload or anything internal. We test these boundaries automatically.

Documents are never publicly addressable

Files live in private storage, scoped per firm and per client. Downloads happen through expiring signed links generated only after the database confirms the person is allowed to see that exact file. Uploads are validated by type and size.

Two-factor authentication, for staff and clients

Anyone — your team or your clients — can protect their account with an authenticator app. Once enabled, a password alone is never enough to get in.

Everything sensitive is on the record

Document access, uploads, deletions, invitations, permission changes — recorded in an activity log your firm's admins can review. When a client asks who touched their file, you have an answer.

Encrypted everywhere

Data is encrypted in transit (TLS) and at rest. Payment details never touch our servers — billing runs entirely through Stripe.

Least privilege, by default

Staff roles separate day-to-day work from administration. Billing, team management, client deletion and the audit trail are admin-only. Public sign-in pages are protected by CAPTCHA and rate limits.

Have a security question we haven't answered?

Write to security@commongoodlabs.ca — we answer these personally.