Your data. Your control.

Connecting your dev tools to Shreddit requires trust. Here's exactly what we access, how we protect it, and what we don't touch.

Integration Access

What we read. What we don't.

Most integrations use read-only access. For connected evidence sources, we may read metadata and extract text from the specific documents or spreadsheets you authorize so we can identify SR&ED-eligible work. For GitHub, Shreddit can optionally post or update one PR comment in repos where commenting is enabled. We do not modify code or repository settings.

GitHub

What we access
  • Repository metadata (names, visibility)
  • Commit messages, timestamps, and authors
  • Pull request titles, descriptions, and review activity
  • Branch names and contribution patterns
What we never touch
  • Source code contents
  • Repository secrets or environment variables
  • GitHub Actions logs or artifacts

Linear / Jira

What we access
  • Issue titles, descriptions, and labels
  • Status changes and cycle times
  • Sprint/cycle metadata
  • Project and team structure
What we never touch
  • Private comments or internal notes
  • Attachment file contents
  • User profile details beyond name

Notion

What we access
  • Pages and databases you explicitly authorize
  • Document content for project documentation
  • Page metadata and relationships
What we never touch
  • Pages outside your selected scope
  • Workspace member details
  • Integration or API tokens stored in Notion

Google Drive

What we access
  • Specific files you explicitly select
  • Supported document and spreadsheet content needed for SR&ED evidence
  • File metadata such as names, dates, and ownership details
What we never touch
  • Files you do not explicitly select
  • Your Gmail or other Google services
  • Edits or writes back to your Google Drive

Google Calendar

What we access
  • Event titles and descriptions
  • Meeting times and duration
  • Attendee lists (for R&D time allocation)
What we never touch
  • Video call recordings or transcripts
  • Calendar events from personal calendars
  • Meeting notes stored outside Calendar

File Uploads

What we access
  • Documents you explicitly upload
  • File metadata (name, type, size)
What we never touch
  • Anything beyond what you directly provide
  • Files from your local machine without action
Data Protection

Security by default.

Encryption everywhere

All data is encrypted in transit with TLS 1.3 and at rest with AES-256. OAuth credentials are stored encrypted and never exposed to the client.

Isolated infrastructure

Hosted on SOC 2-compliant cloud infrastructure with row-level security policies enforcing strict organization-level data isolation in our database.

Minimal access, maximum control

We request least-privilege OAuth scopes wherever possible. For Google Drive, access is limited to supported files you explicitly select. We never write to or modify your connected accounts. You can disconnect any integration instantly, which revokes access and deletes stored tokens.

You own your data

Your data is used solely for SR&ED claim preparation. It is never shared with third parties, never used for model training, and never sold. Request full data deletion at any time.

CRA Authorization

Read-only. Revocable anytime.

If you choose our Pay Later option, Shreddit requests authorization as your CRA representative so we can monitor your refund status. Here's exactly what that means.

What is CRA representative authorization?

This uses the standard CRA AUT-01 authorization form — the same form accountants and tax professionals use every day. It grants Shreddit limited, read-only access to your business tax account, specifically to check the status of your SR&ED refund.

What it allows
  • View the status of your SR&ED refund
  • Confirm when CRA has processed your claim
  • Receive refund timeline updates on your behalf
What it does not allow
  • Modify your tax returns or filings
  • Access banking or financial information
  • Take any action on your CRA account
  • View information unrelated to SR&ED

You can revoke this authorization at any time through CRA My Business Account. No questions asked, no waiting period. The Pay Now option (5% of refund) skips CRA authorization entirely — your filing package is sent directly to you.

Compliance

Where we are today.

We're an early-stage company. Rather than make vague claims, here's our honest security posture and what's on the roadmap.

In place today

  • End-to-end encryption (TLS 1.3 in transit, AES-256 at rest)
  • Row-level security with organization-level data isolation
  • Least-privilege OAuth scopes with file-scoped Google Drive access
  • Encrypted credential storage — tokens never exposed to client
  • Immediate data deletion on integration disconnect or account removal
  • No third-party data sharing, no model training on customer data

On the roadmap

  • SOC 2 Type II certification
  • Penetration testing by a third-party firm
  • PIPEDA compliance documentation
  • Detailed audit logs accessible to customers

Still have questions? We're an open book.

Security concerns deserve real answers, not FAQ pages. Reach out and we'll walk through anything you need.

Talk to UsGet Started
Privacy Policy|Terms of Use