Your employee data stays in Canada.
Hibiscus HR is hosted on Microsoft Azure Canada Central. Employee profiles, payroll, T4s, ROEs, and uploaded documents are stored in Canadian data centres. SINs and banking details get AES-256-GCM field-level encryption on top of TLS 1.2+ in transit.
What lives in Canada
The full list of data classes stored at Azure Canada Central. Encrypted at rest, schema-isolated per tenant.
Where data touches a US vendor (and why it is acceptable)
Two production subprocessors are US-based. Both receive a narrow slice of data, never payroll PII. The third (Helcim) is Canadian.
What they see: Transactional email delivery (welcome emails, password resets, payroll-period notifications).
Why: Resend receives the recipient's name and email address plus the rendered email content. No SINs, no banking, no payroll figures. The content is the same notification the recipient receives. We use Resend because transactional email infrastructure with sub-second deliverability at SMB pricing is structurally a US market; no Canadian provider currently offers an equivalent. We continue to monitor.
What they see: AI handbook and policy generation. The customer-side feature that drafts a starting employee handbook from company inputs.
Why: Anthropic receives the company name, industry, province list, and policy-type request. No employee PII is passed to the model. Generation runs on Anthropic's zero-retention API tier, meaning the prompts and outputs are not retained for training. The generated draft returns to Hibiscus and stays in Canadian storage thereafter.
What they see: Payment processing for the Hibiscus HR subscription. Card tokenisation via HelcimPay.js in the browser; the card number never touches Hibiscus servers.
Why: Helcim is a Canadian PCI-DSS Level 1 processor based in Calgary. This is not a cross-border exception; it is Canadian payment infrastructure for Canadian software.
Filings and bank files stay in Canada
The three statutory data flows out of Hibiscus all land at Canadian endpoints.
T4 internet filing β CRA
T4, T4A, and T5018 slips are generated as schema-correct CRA XML and filed directly to CRA via T4 internet filing. The data path is Hibiscus (Canada) β CRA (Canada).
ROE Web β Service Canada
Records of Employment are submitted to Service Canada via ROE Web with the correct reason code and insurable-earnings reporting. The data path is Hibiscus (Canada) β Service Canada (Canada).
Bank file (CPA-005) β your Canadian bank
Payroll direct-deposit files use the CPA-005 standard for delivery to your business bank. The file leaves Hibiscus encrypted, lands at your Canadian bank, and is destroyed locally once the deposit batch is queued.
Retention and deletion
Active customer data is retained for the life of the subscription plus a 120-day reactivation window after cancellation. The 120 days exist so a customer who cancels mid-year for cash-flow reasons can come back and resume without rebuilding their employee records.
At day 120 post-cancellation, the tenant schema is dropped. CRA, ESA, and Service Canada regulated records (T4 history, ROE archive, payroll-run summaries) are extracted to a WORM-style archive first and retained for the statutory minimum (7 years for CRA records), then the tenant database is deleted. A Deletion Certificate is emailed to the former admin confirming the data classes dropped and the date.
Customers can request earlier deletion at any time by emailing privacy@hibiscushr.ca. We honour PIPEDA right-of-access and right-of-correction requests within 30 days.
A note on Quebec and Law 25
Hibiscus HR does not currently process Quebec employee data, so Quebec Law 25 obligations are not in scope today. The Quebec engine (RRQ, RQAP, Quebec income tax, FSS, CNESST, RelevΓ© 1, equity, Loi 25 alignment) is built and in independent legal and linguistic audit before launch. We will not enable Quebec for a customer until that audit is complete. Join the Quebec waitlist β
HR data in Canadian hands.
Read the full security architecture, or talk to us about your tenant.