Following up on a portal solution …
One of my main concerns with any software is having it Canadian owned and content stored on servers located in Canada. USA has legislation that mandates government bodies access to your data (ie: search warrant, subpoena, etc). If documents are requested, are they turned over in an encrypted form or non-encrypted form is always a concern. A few years ago, I saw Dropbox’s statistics stating they turned over approx 25% of subpoena requested files, and many of those had court ordered clauses stating that the customer was NOT to be informed of this transaction. I checked on Dropbox just now and they only show a graph of the different types of data releases. Dropbox now adds a clause stating that the data they give to the authorities is in an encrypted state, leaving it up to the authorities to decrypt it (this clause was not there when I last looked at Dropbox). There is no such legislation in Canada. However, I’m told that if a US software provider has servers located in Canada for Canadian customers, the data on those servers, because they are owned by the US companies, could also be accessed by subpoena by US authorities. Microsoft One Drive would fall into this category.
The issue I’ve had with safely storing and transmitting client tax data, keeping them out of the hands of US law makers, is that there are very few Canadian owned companies in this industry. Sync.com and e-Courier.com are the two main companies that I’ve found that are both Canadian owned with servers located in Canada, and both have a high focus on encryption and security. I had a couple of long conversations about this with the sales rep from e-Courier (out of Toronto) who tells me that she has been working closely with the CRA in creating legislation to safeguard Canadian tax data. For e-signature programs, we really had NO Canadian companies offering this service, which is probably a main reason why TaxCycle created their TaxFolder software, and as of a few months ago, e-Courier went online with their version of an e-signature software. These are the only two Canadian e-signature companies that I know of. I’ve been using Adobe Sign (US based) only because of the lack of Canadian options available. I set a password on my T183’s and other confidential data transmitted using Adobe Sign only because the signed document is then sent by regular email to the user as an attachment, so I want this attachment to be secure.
I like @Nezzer’s solution, which is to delete the files from the server as soon as he acquires them. That’s not to say that companies may maintain backup files of the deleted software on their servers. With the Internet, you never know how many copies are out there.
With the 2 TB of data that I receive from Sync.com, I use it as backup to auto sync files on my office computer for secure backup. I also have a custom folder for shared files with clients where I’ll share a particular folder with client data for that client. I set a folder password so that the client is required to enter the password to access the data. The problem I’ve faced is that some of my clients just aren’t computer savvy. I’ve had to make my passwords simple for them (like the last 6 digits of their SIN). And many of my clients chose to only view the documents from the Sync link, but don’t actually download the files to their computer. Thus, I find them repeatedly going back to the link to review their tax files, even though I specifically instruct them to download the files. I’m guessing they are accessing the files using their smartphone vs their computer. If I delete the files, then they are asking me once again for a copy of them. To get around this, I started zipping the files and only placing a zipped file into their shared Sync folder. This forces them to download the files.
I like e-Courier.com as a secure portal to transmit documents. It allows the user to create their own passwords to access their guest email account that we create for them. I like the strong security it officers, especially that it automatically deletes messages (3 months is a default with max = 1 yr). It also forces you to download all attached files in order to open them. One thing I don’t like about it is the simplistic front end (no bolding, bullets, etc). The issue my client’s have is that many of them like to use their email for archival purposes to easily find old documents they need. The auto delete in e-courier doesn’t allow this. I still have clients sending me confidential tax documents by email even though I have made them a free guest account on e-courier or created a shared folder in Sync.com where they can upload their confidential tax files - they don’t always remember to use it. They don’t seem to care that email is not secure. Many of them also don’t want yet another email program, albeit secure, and thus don’t access the messages I send them using e-courier (I get regular messages from e-courier that the email I sent with their tax documents has expired, unopened, leaving me with the option to renew it or let it cancel). To encourage my clients to send me documents using e-courier instead of email, for this upcoming tax season I invested an additional $200 with e-courier to purchase their SECURE LINK feature. It’s a link that gets added to all my outgoing emails with a secure link for clients to upload files securely to me. The user enters their email address to track who the message is from. If a free guest account has already been created for them prior to their upload, the upload will be linked to their free guest account so they can track it when they log into their account. We’ll see if this solution is used during this next tax season.
Finally, a final thought about e-signatures. When CRA first started allowing e-signatures on the T183’s at the start of covid, I spoke to a CRA agent at the e-file help desk who stated that the electronic signatures had to be an actual signature (they couldn’t be typed). I liked that Adobe Sign supported this, so all my electronically signed T183’s have an actual signature. I purchased the license to Acrobat for $20.99 monthly which comes with Adobe Sign, so added value. E-Courier’s solution to e-signature has the user TYPE their name. No actual signature. Their sales agent has confirmed that this is acceptable, but I’ve chosen to hold off using it (even though I paid for a license to use it) until I verify that typed signatures are acceptable. I don’t know what format TaxFolder or other e-signature software uses (typed name or actual signature on the T183). E-signature is also accepted on the AuthRep forms, and was accepted on the T2200S and Form T2200.
Hope this helps.