Compliance & Data Protection
Security & Compliance
Property tax data — assessment values, owner names and addresses, payment histories, arrears balances, and tax sale proceedings — is among the most sensitive information a municipality manages. Civic Property Tax is designed with security, privacy, and Canadian regulatory compliance at its foundation.
Canadian Municipal Compliance
Municipal & Provincial Regulations
Purpose-built for Canadian municipalities, with full alignment to federal, provincial, and municipal legislation governing public-sector data management.
Ontario, Canada
Tax billing, collection, penalty/interest calculation, instalment plans, and payment application comply with the taxation provisions of the Municipal Act, 2001. Levy calculation implements all 9 property classes, capping/clawback (s.329–332), and penalty rates (s.345). Tax sale proceedings under Part XI follow mandatory statutory timelines with tracked compliance. Every calculation is auditable and reproducible.
Ontario, Canada
Full MFIPPA compliance with PII masking capabilities, role-based access restrictions (view-only through admin), configurable data retention/destruction policies, and privacy impact assessment documentation. Access to property owner PII is logged with purpose, timestamp, and accessor identity. Bulk exports require supervisor approval.
Canada (Federal)
Consent management for electronic billing, data minimization (collect only what is necessary for tax administration), breach notification workflows with 72-hour reporting, and right-of-access/correction mechanisms. AI-powered delinquency scoring includes explainable decision rationale to meet automated decision-making transparency requirements.
Ontario, Canada
MPAC assessment roll data is handled in compliance with Assessment Act requirements. Assessment data confidentiality provisions are enforced — only authorized staff can access assessment details. Public inquiry responses follow statutory disclosure rules. ARB appeal data is managed with appropriate access controls.
Ontario, Canada
All public-facing interfaces (resident self-service portal, tax certificate portal, online payment) and staff-facing applications meet WCAG 2.1 AA: keyboard navigation, screen reader compatibility (JAWS, NVDA, VoiceOver), 4.5:1 contrast, semantic HTML, skip navigation, and focus management. Annual VPAT (Voluntary Product Accessibility Template) prepared for procurement.
Ontario, Canada
Education levy calculation and remittance comply with Education Act provisions. Education tax rates are applied as prescribed by the province. Revenue tracking separates education levy from municipal levy for accurate provincial remittance. School support designations are maintained per statutory requirements.
Ontario, Canada
PAP/PAD file generation complies with CPA Standard 005 for pre-authorized debit transactions. Enrollment forms meet CPA consent requirements. File formatting, transaction codes, and remittance processing follow Canadian Payments Association standards. NSF handling complies with return item processing rules.
“Compliance is not a feature we bolted on after launch — it is the architectural foundation every line of code is written against. Canadian municipalities deserve a platform that treats their legislative obligations as first-class requirements.”
Civic Engineering
· Platform Architecture TeamRegulatory Compliance
Industry Frameworks
Beyond municipal legislation, satisfies internationally recognized compliance frameworks.
Annual third-party audit of security controls covering availability, processing integrity, confidentiality, and privacy — verified against AICPA Trust Services Criteria. Audit reports available to municipal procurement teams under NDA.
- Logical access controls with segregation of duties — assessment viewers, payment processors, account adjusters, and approvers have separate permissions
- Availability monitoring with 99.9% uptime SLA for tax payment portals and instalment processing services
- Processing integrity controls validating tax levy calculations, penalty/interest accruals, and payment application logic
- Confidentiality protections for property owner PII, assessment data, and tax arrears balances with field-level encryption
- Annual independent SOC 2 Type II audit with remediation tracking and management response for identified findings
Information security management system aligned to ISO 27001 standards. Risk assessment methodology, control selection, and continuous improvement processes follow the international standard for organizational security management.
- Formal risk assessment covering property tax data assets — assessment rolls, owner PII, payment records, and arrears data
- Access control policy with SAML 2.0 SSO, MFA enforcement, and role-based access scoped to tax functions
- Cryptographic controls with AES-256 encryption at rest and TLS 1.3 in transit for all tax data
- Operations security including change management procedures for rate table updates, levy formula changes, and system configuration
- Supplier relationship security for MPAC data imports, payment processor integrations, and bank file exchanges
All online payment processing (credit card, debit) handled through PCI DSS Level 1 certified payment gateway. No credit card data is stored or processed in the Civic Property Tax platform. Tokenized payment references only. Annual SAQ-A compliance attestation.
- Hosted payment page architecture ensures no cardholder data enters the property tax application servers
- Payment tokenization enables refund processing and payment history without storing sensitive card data
- PCI DSS Level 1 certified payment gateway with annual Report on Compliance verification
- SAQ-A self-assessment completed annually with documentation of PCI scope exclusion evidence
- 3-D Secure 2.0 authentication for online card-not-present tax payments to reduce fraud liability
Security controls mapped to NIST CSF functions: Identify (asset management, risk assessment), Protect (access control, encryption), Detect (continuous monitoring, anomaly detection), Respond (incident response, communication), Recover (recovery planning, improvements). Quarterly security posture reviews with framework alignment reporting.
- Identify — comprehensive inventory of property tax data assets with business impact analysis and risk scoring
- Protect — defense-in-depth with WAF, rate limiting, IP allowlisting for bank files, and API authentication (OAuth 2.0/JWT)
- Detect — continuous monitoring for anomalous activity including bulk assessment data exports and unusual payment patterns
- Respond — incident response procedures for tax data breach scenarios with PIPEDA 72-hour notification compliance
- Recover — recovery planning with RPO/RTO targets, quarterly DR testing, and post-incident improvement processes
Data Sovereignty
Canadian Data Residency
All property tax data — assessment rolls, tax accounts, payment records, owner PII, arrears data, and tax sale proceedings — is stored and processed exclusively in Canadian data centres. No cross-border data transfers occur for any reason, including backup, disaster recovery, analytics, or support.
Hosting
Canadian Only
Centres
3 Redundant
Encryption
AES-256
Sovereignty
PIPEDA / MFIPPA
Platform Security
Security Capabilities
Click any capability to explore the technical details behind each security layer.
Auditability
Audit Trail Features
Every action is logged, timestamped, and immutable — providing the complete audit trail required by provincial legislation and municipal accountability standards.
Transaction-Level Audit Trail
Payment Reconciliation Audit
Access & PII Audit Logs
Assessment Roll Change Tracking
Rate & Levy Audit Trail
Tax Sale Compliance Audit
Annual Audit Export
AI Decision Audit Trail