Our security overview
Keeping customer data safe and secure is a huge responsibility and a top priority for Canopy. We work hard to protect our customers from the latest threats. We store all our own sensitive information on the same servers our customers do. We don’t want our information compromised, so we’re motivated by self-preservation as well. Aligning our goals with your goals is the best way to see eye-to-eye on the need to keep everything as secure as we can.
Access control and organizational security
Personnel
All our employees and contracted workers sign confidentiality agreements before gaining access to our code and data. Background checks aren’t performed on our workers. Each person at Canopy is trained and made aware of security concerns and best practices for their systems. Remote access to servers is only possible via two factor authentication, and limited to workers who need access for their day to day work. We log all access to all accounts by name & IP address.
Penetration testing
Our software infrastructure is updated regularly with the latest security patches. While perfect security is a moving target, we work with security researchers by running a bounty program in Federacy and welcome reports. More details are available here: https://canopy.is/m/security/issues
We conduct on-going review and regular testing.
We conduct on-going reviews of these security measures and we perform regular security testing. These efforts help us to better protect your personal data.
Team responsibilities
Our Back-end Engineering team is responsible for Security, Infrastructure and Performance (SIP) and are in charge of access/identity management, and log file management. Their responsibilities include:
- Managing our bug bounty program in Federacy
- Reviewing all changes to the code and infrastructure to ensure they follow best practices and security guidelines (such as OWASP)
- Building and operating Canopy’s infrastructure, including logs, monitoring and authentication
- Reviewing, testing and designing incident response processes
- Responding to alerts triggered by any security events
- Monitoring and alerting on anomalous activity
- Coordinating vulnerability testing with external security researchers
Audits, Security Policies and Standards
Canopy itself has not completed a SOC audit yet, but our entire infrastructure is hosted with cloud providers. Canopy is hosted by Heroku. A cloud service, Heroku is equipped to handle power failures and DDoS attacks. For more information on Heroku's security, please visit Heroku's security overview. We also use Amazon AWS (Amazon Web Services) for a variety of services. For more information on Amazon's security, please visit Amazon's security overview.
We have an internally built system that monitors and automatically blocks suspicious activity (including failed logins, spam attempts, and a host of other suspicious activity). We also have alerts in place for excessive resource use that escalates to our engineering team for manual investigation.
Incident management and disaster recovery
Redundancy
Our entire infrastructure runs in the cloud (Heroku & Amazon AWS), all your data has redundancy measures in place. Files that our customers upload are stored on servers that use modern techniques to remove bottlenecks and points of failure.
Backups
We practice regular recovery drills. We perform multiple backups a day of all databases and files are backed up automatically after they are uploaded to Canopy. Our backups are tested on a regular basis and are stored safely by our cloud provider. We have procedures for responding to incidents managed by our Engineering team. In the event of an incident, we would contact your account owner, and work with you throughout.
Encryption in transit and at rest
Your data are sent using HTTPS.
Whenever your data are in transit between you and us, everything is encrypted, and sent using HTTPS.
Encryption at rest
Our application databases are generally not encrypted at rest — the information you add to the applications is active in our databases and subject to the same protection and monitoring as the rest of our systems. Our database backups are encrypted. Not all files which you upload are stored encrypted at rest, but all access URLs are hashed and impossible to guess.
We protect your billing information.
Our credit card processor has been audited by a PCI-certified auditor, and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available.
Security isn’t just about technology, it’s about trust.
We're trusted by hundreds of CEOs in over 25 different countries. Companies like Airbnb, Kickstarter, Medium, AgileBits, and TechStars have used our software every week for the past 7 years. We don't take their trust in us lightly, and work hard everyday to make sure that we are as vigilant about security as possible.
Have a concern? Want to learn more?
Please send us a note at support@canopy.is. We're happy to help anyway we can.