Security Overview

1 Your Free Tools — Zero Data Risk

This is a deliberate design decision. We built the tools to be useful without requiring you to trust us with your data first.

2 How We Protect Client Data

3 Our Software Platforms

We use industry-leading platforms purpose-built for accounting, payroll, and construction project management. Each maintains its own security certifications and data protection standards. Not all platforms are used for every client engagement — the specific tools used in your engagement will be confirmed during onboarding.

• QuickBooks Online (Intuit) — SOC 2 Type II certified, data encrypted in transit and at rest, hosted on AWS with 99.9% uptime SLA
• Sage Intacct — SOC 1 Type II and SOC 2 Type II certified, AICPA-approved cloud financial management platform with role-based access controls
• Dext — SOC 2 Type II certified, document data encrypted at rest using AES-256, TLS in transit
• Plooto — PCI DSS compliant for payment processing, bank-grade encryption, two-factor authentication required
• Wagepoint — Canadian payroll platform, encrypted data storage, SOC 2 certified, data residency in Canada
• Buildertrend — cloud-hosted project management with role-based access controls and encrypted data storage
• JobTread — cloud-based construction management with encrypted data transmission and role-based user permissions
• Procore — SOC 2 Type II certified construction management platform, TLS encryption in transit, AES-256 at rest
• Knowify — cloud-based job costing and project management with encrypted data storage and secure access controls
• Microsoft 365 — enterprise-grade security, data residency in Canada, ISO 27001 and SOC 2 certified

We review the security posture of our software vendors periodically and will notify clients of any material changes to the platforms used in their engagement.

4 Email Security

Email is inherently less secure than our client portal. We take the following steps to reduce risk:

• We never send sensitive financial data via unencrypted email — financial statements and tax documents are shared through the secure portal
• We use Microsoft 365 which includes spam filtering, phishing protection, and malware scanning on all inbound and outbound messages
• We will never ask you for passwords or banking credentials via email — if you receive such a request purportedly from Marawood, treat it as fraudulent and contact us immediately

5 Incident Response

In the unlikely event of a data security incident affecting your information, we will:

• Notify you promptly — within 72 hours of becoming aware of a breach that may affect your data
• Describe what happened, what data was involved, and what steps we are taking
• Report to the Office of the Information and Privacy Commissioner of Alberta where required by PIPA
• Take immediate steps to contain the breach and prevent recurrence

6 Your Role in Security

The strongest security controls can be undermined at the endpoints. We ask our clients to:

• Use strong, unique passwords for your QuickBooks and client portal accounts
• Enable multi-factor authentication on your QuickBooks Online account — this protects your financial data even if your password is compromised
• Use the secure portal rather than email for sharing sensitive documents such as bank statements, payroll records, and tax documents
• Contact us immediately if you suspect unauthorized access to your accounts or receive suspicious communications claiming to be from Marawood

7 Website Security

Our website and tools are hosted on Cloudflare, which provides DDoS protection, TLS encryption, and edge security. All Marawood web properties use HTTPS. Our tools landing page and individual calculators are static HTML files — they contain no databases, no user accounts, and no server-side code that could be compromised to expose user data.