Security

Dedication to security is one of the foundational principles of Canvas. We’ve designed the product and infrastructure to follow industry-leading standards in security and availability.

Best practices

At Canvas we appreciate the risks and sensitivity of data. Security is the top principle of our engineering team and we've designed Canvas to follow best practices from day one.

Secrets, such as credentials to your data sources, are doubly encrypted at rest using database encryption and an additional layer of encryption via Amazon KMS. They are only readable by a service that's inaccessible from the public internet.

Infrastructure

Canvas infrastructure runs on AWS, on US-based data centers.

Deployment is spread across three availability zones to ensure uptime. EC2 instances and databases exist within a private subnet unreachable from the outside internet.

Access to the private subnet is via a network load balancer in a public subnet. All connections within the subnets are encrypted with mTLS; all requests to the load balancer require TLS. Unencrypted connections are rejected.

Our infrastructure is deployed as code using Terraform. This enables us to cleanly separate encrypted secrets from the source code and to audit infrastructure changes as we would code changes.

SOC 2

Canvas is SOC 2 Type 2 certified. You can reach us at security@canvasapp.com to request our most recent SOC 2 Type 2 report.

External audits and researchers

Canvas contracts with third-party security vendors for regular assessments and penetration tests.

We run a bug bounty program, which is an industry best practice of responsibly inviting external researchers to test our product security without affecting customer data.