1. Purpose

The Purpose of This Policy

This policy defines the security controls and procedures for integrating and activating Plaid services to access and process users’ financial data. It ensures the protection of personal and sensitive data as required by legal, regulatory, and contractual obligations.

2. Scope

Who This Policy Applies To

This policy applies to all employees, contractors, vendors, and third parties who handle or process data during the Plaid activation process. It includes internal systems and third-party services used with Plaid.

CanCat is a web-based application designed to help users prepare transaction records for their accountants prior to tax filing. CanCat is a technology tool, not a tax advisor, and does not store tax-specific details unrelated to its functionality.

3. Roles and Responsibilities

Key Roles

• Data Protection Officer (DPO): Ensures compliance and oversees data protection activities related to Plaid integration.
• System Administrators: Manage secure configuration and maintenance of systems accessing Plaid data.
• Developers: Ensure code security and follow best practices for encryption and secure API calls.
• Third-Party Vendors: Must comply with this policy and sign data protection agreements where necessary.

4. Data Collection and Usage

How Data Is Handled

• Data Minimization: Only collect the minimum necessary data required for Plaid integration.
• Data Purpose: Use data solely for verifying account balances or facilitating financial transactions.
• User Consent: Obtain explicit user consent before accessing financial data through Plaid.

5. Data Storage and Retention

How Data Is Stored

• Encryption: Encrypt sensitive data in transit (TLS 1.2 or higher) and at rest (AES-256 or higher).
• Access Controls: Limit access to authorized personnel only, using RBAC and MFA.
• Retention Policy: Retain data only as necessary or required by law, with regular reviews.

6. Data Sharing and Disclosure

Sharing Guidelines

• Third-Party Sharing: Share Plaid data only when necessary and with user consent.
• Data Anonymization: Anonymize sensitive data where possible before sharing.

7. Security Measures

How We Protect Data

• API Security: Authenticate API calls with secure tokens and protect endpoints from vulnerabilities.
• Monitoring: Log and monitor all API calls and data transfers involving Plaid.
• Incident Response: Notify the Incident Response Team and affected users promptly in case of a data breach.

8. Compliance and Auditing

Staying Compliant

• Compliance: Follow all relevant regulations, including GDPR, CCPA, and PCI DSS.
• Audit Trails: Maintain logs of Plaid data access and review them during regular audits.

9. User Rights

Your Rights

• Right to Access: Request access to your personal data processed through Plaid.
• Right to Erasure: Request the deletion of your personal data, unless retention is required by law.
• Data Portability: Export your personal data in a commonly used format.

10. Policy Review

Keeping the Policy Updated

This policy will be reviewed annually or sooner if there are changes in legal, regulatory, or operational requirements. Significant changes to Plaid integration will trigger an immediate review.

11. Enforcement

Consequences of Violations

Employees violating this policy may face disciplinary action, up to termination. Contractors or third parties may face contract termination or legal action.