Numinor logonuminor
Get started
Trust and security · Effective August 1, 2025

Security practices

How Numinor keeps your financial data safe. Our practices, our infrastructure partners, and what we expect from every team member who touches Client data.

Encryption everywhere

TLS 1.3 in transit. AES-256 at rest. Data is encrypted on every step between your devices, our infrastructure, and our partners.

Least-privilege access

Role-based access. Multi-factor authentication required for every team member. Single sign-on with hardware-key support where the platform allows.

SOC-aligned infrastructure

Hosted on SOC 2 Type II providers. Our partners undergo independent third-party audits annually. Canadian data residency where required by Client agreement.

Continuous monitoring

Activity logged across all systems. Anomalies flagged in real time. Incident response plan tested every quarter, with documented escalation paths.

Last reviewed: August 1, 2025
Review cadence: Quarterly

Overview

Numinor handles sensitive financial data on behalf of Canadian businesses. Our security program is built around five principles: encrypt everything, grant the least access necessary, monitor continuously, prepare for the worst, and improve after every incident. This page describes how those principles show up in our day-to-day practice.

Security is not a single feature. It is an ongoing discipline that touches our infrastructure, our people, our vendors, and the way we respond when something goes wrong. We review and update this program quarterly.

Data encryption

In transit. All data moving between your devices, our systems, and integrated platforms is encrypted using TLS 1.3 (or TLS 1.2 where a partner does not yet support 1.3). The Site enforces HTTPS site-wide with HSTS preload, and we do not accept inbound connections over plain HTTP.

At rest. Client data stored in our systems and at our cloud partners is encrypted using AES-256. Encryption keys are managed by our infrastructure providers with hardware-security-module-backed key storage and regular automated rotation.

Backups. Backups are encrypted with the same standards as live data, stored in separate availability zones, and tested for restoration every quarter.

Access controls

  • Multi-factor authentication. Required for every employee, contractor, and tool that handles Client data. We prefer hardware security keys and authenticator apps over SMS where the platform supports it.
  • Role-based access. Team members get access only to the Client data they need for their assigned engagements. Access is reviewed quarterly and revoked the same day an employee leaves.
  • Single sign-on. Internal tools are gated behind SSO with conditional-access policies that consider device, location, and risk signals.
  • Privileged access. Administrative actions on Client data require a second approver and are logged for audit.

Infrastructure

Numinor's systems run on SOC 2 Type II compliant cloud infrastructure. Our primary providers undergo independent third-party audits annually and publish their reports under non-disclosure to enterprise customers.

  • Data is hosted in Canadian regions by default. We can configure US or other regions for specific Client agreements.
  • Network traffic is segmented through virtual private networks with default-deny firewall rules.
  • Production systems are isolated from development and staging environments.
  • All servers receive security patches within our vendor's standard patch window, with critical patches applied within 72 hours.

People and training

Every Numinor team member completes security training during onboarding and again annually. Training covers phishing, secure handling of Client data, password hygiene, and incident reporting. Senior team members and anyone handling Client financial data also receive specialized training on Canadian privacy laws (PIPEDA) and applicable provincial regulations.

Background checks are performed on all employees before they receive access to Client systems. Every team member signs a confidentiality agreement and a data-handling acceptable-use policy as a condition of employment.

Vendor management

We carefully select and review every vendor that touches Client data. Vendors are evaluated against security, privacy, and compliance criteria before onboarding, and reviewed annually thereafter. Common vendors include QuickBooks Online, Xero, Plooto, Wagepoint, Float, and our cloud infrastructure providers.

We require data-processing agreements with every vendor that handles Client data, including obligations around encryption, breach notification, and data return on termination.

Incident response

Numinor maintains a documented incident response plan that defines roles, escalation paths, communication templates, and post-incident review procedures. The plan is tested at least once per quarter through tabletop exercises or live drills.

Notification. If a confirmed security incident materially affects your Client data, we will notify affected Clients in writing as soon as practicable, and in any event within the timeframes required by applicable Canadian privacy law (PIPEDA Mandatory Breach Notification within the period prescribed by regulation).

Data retention and disposal

We retain Client data only as long as necessary to deliver Services, meet legal and regulatory obligations (including the CRA's six-year record retention requirement for tax-related records), and complete reasonable backup cycles.

On termination of an engagement, Client data can be returned in standard formats on request. After legal retention periods expire, data is securely deleted from production systems and overwritten from backups according to industry-standard wiping procedures.

Business continuity and disaster recovery

Numinor maintains a business continuity plan that covers service interruptions, natural disasters, cyber incidents, and key-person events. Our recovery time objective (RTO) for core Client-facing services is 24 hours; our recovery point objective (RPO) is 4 hours.

Backups are tested quarterly and stored in geographically separate Canadian regions. We document and rehearse failover procedures at least twice a year.

Compliance

Numinor's practices are aligned with Canadian regulatory expectations for handling personal and financial information, including:

  • PIPEDA (Personal Information Protection and Electronic Documents Act).
  • Applicable provincial privacy legislation, including Quebec Law 25 and Ontario's PHIPA where the engagement involves health-sector clients.
  • CPA Canada professional conduct rules and confidentiality obligations.
  • CRA recordkeeping and electronic-records requirements.

Our infrastructure partners hold SOC 2 Type II attestation, and we leverage their audit reports as part of our own vendor risk management.

Report a vulnerability

We welcome reports from security researchers and members of the public. If you believe you have found a security issue in our Site or in our systems, please email us at security@numinor.ca. Include enough detail for us to reproduce and assess the issue. We will respond within five business days and keep you informed as we work on remediation.

We ask that you do not access or modify data beyond what is necessary to confirm the issue, and that you give us reasonable time to remediate before public disclosure.

Contact

Questions about our security program? Reach out to:

Numinor Accounting · Security
security@numinor.ca · hello@numinor.ca
22 King St S Suite #300, Waterloo, ON N2J 1N8