Security

Dedication to security is one of the foundational principles of Canvas. That’s why we’ve designed our software and infrastructure to follow industry-leading standards in security and availability from day one.

Infrastructure

Canvas’ infrastructure runs exclusively on AWS. Canvas’ servers are only hosted in the US on data centers that are SOC 2 and ISO 27001 certified. Using AWS ensures the physical and network security of Canvas servers and guarantees our hardware and software are always updated with the latest patches.

Networking

Canvas’ deployment is spread across three availability zones to ensure uptime. All EC2 instances and databases existing within a private subnet unreachable from the outside internet. All access to the private subnet is via a network load balancer in a public subnet. All connections within the subnets are encrypted with mTLS; all requests to the load balancer require TLS. Unencrypted connections are rejected.

Data storage

All of our databases are encrypted at rest with AES-256 encryption using Amazon KMS. These databases are backed up daily with a five day retention window and are configured to use auto-scaling to ensure availability. Secrets such as API keys have an additional layer of asymmetric encryption.

Monitoring

Application and database access are logged via CloudWatch. Application and infrastructure logging is centralized in DataDog with alerts to detect anomalous usage. We store audit logs of who accesses your data in Canvas and when.

Authentication

Canvas uses Google to provide single-sign on with multi factor authentication and password policy enforcement. When accessing integrated data sources Canvas respects the RBAC of the user accessing that data.

Secure development

We are committed to best practices for secure software development. Infrastructure is deployed as code using Terraform. This enables us to cleanly separate encrypted secrets from the source code and to audit infrastructure changes as we would code changes. This also allows us to offer on-premise and single-tenancy deployments when requested.

Deployment

Integration tests and deployments (CI/CD) are automated via Github. You cannot push to the deploy branch directly and all PRs must be signed off. This means no single user can push new code and there’s a clear audit trail for all changes. Our source code dependencies and Docker images are scanned for security vulnerabilities before deployment.

Verification

Canvas contracts with third-party security vendors for regular assessments and penetration tests. We have passed our SOC 2 Type 2 certification.

Contact us

If you would like to disclose a security issue, contact security@canvasapp.com.

We are strong advocates for responsible disclosure by independent security researchers. We believe the best way to protect current and future customers is to encourage researchers to come forward with issues and reply promptly.