Dedication to security is one of the foundational principles of Canvas. That’s why we’ve designed our software and infrastructure to follow industry-leading standards in security and availability from
At Canvas we appreciate the power and sensitivity of data. Security is the top principle of our engineering team and we've designed Canvas to follow best practices from day one.
Canvas will never store your data in our own servers. Canvas accesses the data from your warehouse and serves it directly to your browser.
Canvas requires secrets such as credentials to your warehouse and dbt project. These secrets are doubly encrypted at rest using database encryption and an additional layer of encryption via Amazon KMS. They are only readable by a service that's inaccessible from public internet and cannot be retrieved once saved.
Canvas infrastructure runs exclusively on AWS. Canvas’ servers are only hosted in the US on data centers that are SOC 2 and ISO 27001 certified.
Canvas’ deployment is spread across three availability zones to ensure uptime. All EC2 instances and databases existing within a private subnet unreachable from the outside internet. All access to the private subnet is via a network load balancer in a public subnet. All connections within the subnets are encrypted with mTLS; all requests to the load balancer require TLS. Unencrypted connections are rejected.
Canvas' infrastructure is deployed as code using Terraform. This enables us to cleanly separate encrypted secrets from the source code and to audit infrastructure changes as we would code changes.
Canvas contracts with third-party security vendors for regular assessments and penetration tests.