For tax-practice firms whose client corporate financial statements run through ChatGPT every quarter.

Tonia keeps T4s, RL-1s and financial statements on-site — never cross-border.

The Sovereign profile of Tonia runs tax preparation and analytical review on-site installed in your firm: names, SIN, identifying amounts and corporate client financial statements stay in Québec, under your KMS key. The Frontier profile routes client communications (with identifiers redacted) to a frontier-model provider. The locally signed audit log is the tool the OCAQ asks for at the annual practice review — and you already have it.

Assess my Loi 25 exposure Request a free consultation

Regulatory framework

Loi 25 + sectoral duties

A Quebec CPA firm — whether in sole practice or as a CPA professional partnership — operates under three simultaneous regimes: Bill 25, the CPA Code of professional conduct, and the Act respecting Chartered Professional Accountants (CQLR, c. C-48.1) with its duty-of-means obligations.

Bill 25, art. 5 + art. 14: client information collection is limited to the mandate; retention aligns with tax/accounting duties (7 years in most cases).
Loi 25, art. 17: communicating a T4, RL-1, T5, NR4 or corporate-identifying financial statement to a U.S. cloud provider (ChatGPT, Claude direct, M365 Copilot) requires a documented art. 17 para. 2 assessment. Absent the assessment, the transfer is non-compliant.
CPA Code of professional conduct: - art. 48 — professional secrecy on information entrusted by the client in the mandate. - art. 50 — confidentiality of corporate client information: revenue, margins, sensitive transactions, bank accounts. - art. 55 — prudent use of technology tools; the standard evolves with what is available.
Act respecting Chartered Professional Accountants, art. 21: duty of means for information protection. The syndic may sanction the absence of reasonable means, which includes unsupervised use of a U.S. cloud service for processing identifying tax data.
OCAQ — "Position on generative artificial intelligence in professional practice": not binding, but cited in the annual practice review as a diligence-assessment grid.

The practical consequence is known to every tax-practice CPA: pasting a client employee's T4 or a corporate financial statement into ChatGPT for synthesis communicates the information to a U.S. corporation — without client-corporation consent, without a contractual framework, and without an art. 17 assessment. The syndic has taken note.

Use cases

Three typical AI use cases

Case 1 — Tax-return preparation

(synthesis of T4, T5, NR4, RL-1, financial statements). Maximum Bill 25 friction. Tax slips identify the taxpayer (SIN, employer, salary), the corporate client (NEQ, transactions), and — by cross-reference — third parties (employees, contractors). Pasting a single complete financial statement into ChatGPT simultaneously communicates the corporate client's information (Code art. 50) and that of the in-scope employees (Bill 25 art. 17).

Case 2 — Analytical review of financial statements

(ratio analysis, anomaly detection, sectoral comparisons). High-leverage automation case: ChatGPT-4 or Claude Opus return in seconds an analysis that took two hours manually. But each request identifies a corporate client by its unique figures — margin, revenue, sector-tax line.

Case 3 — Drafting management notes or client communications

(letters, planning memos, annual presentations). Less sensitive if specific names and numbers are removed before send. Still problematic if the wording contextualizes the letter — "my client, a Saint-Hyacinthe SME manufacturer at CA$12M revenue" identifies the firm to a narrow circle.

Posture

What Tonia solves — and what it does not

Case 1 (tax preparation) → Sovereign profile.

The on-site tonia installed in the firm absorbs the full tax synthesis. T4s, RL-1s, financial statements run through the local model; no byte crosses the border. Bill 25 art. 17 does not apply, for lack of transfer. The signed audit log documents every request — you can demonstrate to the OCAQ exactly which slips were synthesized, when, by which roster-listed CPA.

Case 2 (analytical review) → Sovereign profile.

Same posture: identifying figures stay on-site. The locally-executed analytical review produces the same deliverable as the ChatGPT-executed one, without the transfer.

Case 3 (client communications) → Frontier profile.

The Frontier profile routes approved requests to a frontier-model provider. tonia redacts identifiers (client name, NEQ, unique figures) before send; the signed audit log documents the redaction (cryptographic fingerprint of post-redaction content, invoked policy rule). The CPA can demonstrate to the OCAQ that the client communication did not expose the firm.

What Tonia does not solve

Tonia does not replace the corporate client's consent to AI use in the tax mandate. The annual engagement letter must name the posture (Sovereign or mixed).
Tonia does not replace the art. 17 para. 2 assessment: if the firm enables the Frontier profile for a category (e.g. translation of a client memo into English), the firm's PRPRP documents the decision in the ÉFVP.
Tonia does not replace the annual practice review: the audit log is one tool for demonstrating diligence; the OCAQ also looks at staff training, firm policy, and the signing chain.

Case study

CPA firm specializing in international taxation, 8 CPAs + 12 support, ~150 Canadian and U.S. corporate clients, deployed under Tonia — Sovereign profile in Q1-2026. Anonymization required. OCAQ validation referenced for credibility of the annual practice review.

The firm had been using ChatGPT-4 for tax synthesis and analytical review since 2023. The 2025 update of the CPA Code of professional conduct and the publication of the OCAQ Position on generative AI triggered an internal review. Internal audit in November: 7 categories of requests non-compliant with art. 17 (tax preparation, analytical review, sectoral comparisons), and a potential art. 50 flag on using ChatGPT for the synthesis of identifying financial statements.

Deployment in Q1-2026: on-site tonia in the firm's server room, policy configured by the PRPRP in collaboration with the managing partner, 3-h training of the 20 users. The Sovereign profile absorbs tax preparation and analytical review wholesale — 100% of requests handling slips or financial statements execute on-site. The Frontier profile remains enabled for client-communication translation (category classified as non-sensitive with active PII redaction).

Metrics surfaced

tax requests executed on-site per period (January-April vs. rest of year)
corporate clients synthesized per month
signed audit-log entries
BLOCK events (PII patterns detected on the Frontier profile)
average synthesis time per tax return

Want to see how this applies in your firm?

Want to see how this applies in your firm? Start with the free Loi 25 audit, then request a 30-min consultation. We will review your three tax use cases, OCAQ obligations, and on-site tonia sizing if your context calls for it.

Request a free 30-min consultation See the compliance hub

Disclosure notice: this page is editorial and reflects Tonia's commercial position. Regulatory references are verifiable at the indicated links. Before acting, validate the obligations specific to your organization with your counsel.