Last Updated: June 3, 2021
This Security Overview describes the organizational and technical measures that Canopy Software, Inc. implements platform-wide to prevent unauthorized access, use, alteration, or disclosure of customer data. Canopy services operate on Amazon Web Services (“AWS”), and this page describes activities of Canopy within AWS unless otherwise specified.
- Organizational Security
- Security Training for Employees
- Secure Development Practices
- Network Security
- Endpoint Security
- Access Control
- Monitoring and Logging
- Data Management
- Disaster Recovery
- Incident Response
- Vendor Management
- ISO 27001 Certification
- Penetration Testing
- Customer Responsibilities
- Additional Information
We maintain an industry-leading security program that is based on the layered security approach. Security measures are incorporated at every level of our organization to compound their effectiveness.
Our security program is based on the Secure Controls Framework, NIST Cyber Security Framework (CSF), GDPR, and ISO 27001 standards.
Our security efforts are led by our Chief Information Security Officer, who is supported by a dedicated cybersecurity team.
Secure Development Practices
We employ a secure Software Development Lifecycle (“SDLC”) to manage updates to our systems and applications. Some of the features of our SDLC are:
- Design and code reviews
- Limited source control access
- Unit tests to validate critical security functions
- Data flow diagrams to document the flow of sensitive information
- Continuous integration to automatically run tests
- Production vulnerability monitoring
- Segregation of duties across our development, test and production environments
- Deployment logging that is periodically audited
We maintain stringent encryption standards for our services in order to protect sensitive data in transit and at rest. These include:
- Incorporating the latest recommended encryption methods to protect all web traffic, including TLS 1.2 protocols and AES 256 encryption. We monitor our encryption rating via SSL Labs and ensure that we maintain an ‘A’ rating.
- Encrypting any production data stored in our cloud environment using FIPS 140-2 compliant encryption standards.
We maintain configuration management procedures to ensure that our IT environment aligns with industry best practices. This includes measures such as disabling open ports, removing vendor accounts, disabling root accounts, and more.
We ensure that only the required servers are public-facing, and all system calls are monitored and recorded to ensure integrity and detect unauthorized access.
We have adopted the strategy of least privilege for all access granted in our organization. For example: Each user is assigned an email account that may serve as their identity for many of our systems where Single Sign-On (SSO) is enabled. All users are reviewed at least annually across all systems to ensure that their access and permissions remain appropriate.
Authentication and Password Management
Our customer-facing web portal requires a minimum password length and passwords are checked against known compromised credentials. Multi-factor authentication (MFA) is supported on administrator accounts.
In addition to the SSO, employees use MFA for systems that contain sensitive data.
Monitoring and Logging
Monitoring mechanisms and logging capabilities are enforced throughout our IT environment. We are able to track administrative access, system calls and production-level commands. The analysis of these logs is automated and conducted in real-time. Logs are retained according to our policy.
Data Management (Retention and Disposal)
Canopy protects customer data throughout its entire lifecycle and has mechanisms in place to remove customer data in a timely manner upon expiration.
All customer data is stored and maintained in the AWS geographical region specified by the customer.
Customer data is stored in multi-tenant datastores. Strict privacy controls exist in our application code that are designed to ensure data privacy and to prevent one customer from accessing another customer’s data (i.e., logical separation). We have unit and integration tests in place to ensure these privacy controls work as expected. These tests are run every time our codebase is updated and even one single test failing will prevent new code being shipped to production.
Disaster Recovery and Business Continuity
Our web APIs are distributed across multiple servers for redundancy and scalability. There are measures in place to protect against loss of connectivity, power outages, and destruction of a physical location. We also maintain daily backup copies of our production data. We conduct periodic tabletop exercises to test our disaster recovery capabilities.
We maintain an incident response plan that includes policies and procedures that would be enacted in the event of an incident. Our security team is dedicated to monitoring and responding to incidents in real time, and lessons learned from any incidents that have occurred are recorded and used to improve our procedures. We also maintain a communication protocol to alert relevant impacted parties in the event of an incident.
Penetration Testing and Vulnerability Assessments
We continually monitor for vulnerabilities in our IT environment through various tools and processes. We also hire an external party to conduct annual penetration testing and a vulnerability assessment. Results are shared with Canopy leadership and findings are addressed in a timely manner.
Customers are required to:
- Manage their own user accounts and roles within the Canopy services. As such, the responsibility of protecting that account and enhancing security through strong passwords and two-factor authentication are also the responsibility of our customers.
- Comply with the terms of their service agreement with Canopy, including with respect to compliance with laws.
- Notify Canopy in the event that user credentials are compromised or any suspicious activity is detected within the Canopy application.