Canopy applies industry-standard physical, managerial, and technical safeguards to preserve the integrity and security of your personal information.

We utilize Amazon Web Services (AWS) to host our servers and data. AWS has a suite of compliance certificates for their data centers, include full SSAE 16 (SOC 1, SOC 2, and SOC 3) compliance. Our server instances are hosted on dedicated machines provisioned by Heroku (Salesforce), using only data centers located in the United States. Heroku provides an additional layer of infrastructural security to our application including periodic auditing performed by independent and reputable security consulting firms.

Our files, including those that you upload as well as documents generated by Canopy, are hosted on the AWS storage service with strict access restrictions. We protect access to download these private files by requiring cryptographic signatures, with all links being time-limited for extra protection.

Access to production data is strictly limited to employees and other staff who have a business need to require such access. Only approved members of the Canopy engineering team have direct access to our production environment. In addition, highly sensitive information is protected under an additional layer of industry standard SHA-256 encryption, with an additional private key required to gain access on an as needed basis.

Our team is constantly on the lookout for opportunities to further improving our security policies as we continue to scale our team & improve our platform. If you believe you have discovered a vulnerability within Canopy, or are a security researcher interested in this space, please reach out to let us know by reaching out to us at security@heycanopy.com.