Our mission at GoCanvas is to simplify our customers' lives by giving them the tools necessary to eliminate wasteful spending and reinvest in productivity. We believe protecting your data is one of our most important responsibilities, and are committed to being open and transparent about our security practices.

Canvas Solutions Inc. provides the GoCanvas SaaS product as a robust platform that provides GoCanvas customers with a stable, highly available, and secure solution to submit, store, and access data at all times. GoCanvas provides these capabilities across the mobile and hosted infrastructure of the GoCanvas product.

Access

At GoCanvas, we adhere to the principles of least privilege and role-based permissions. Employees are only authorized to access data that they must handle to fulfill their current tasks or responsibilities. All production access is reviewed quarterly through automated and manual processes.

Sensitive Data Handling

The GoCanvas product is primarily self-serve, so customers can control the data collected using the GoCanvas platform. Following best practices such as encryption-at-rest and encryption-in-transit, GoCanvas ensures that collected data is handled securely. In addition to these best practices, GoCanvas implements several additional security measures to make sure data is handled appropriately, including:

Security training for all employees,
GDPR/Privacy training for all employees,
HIPAA training for all employees,
Least responsibility model for all employees,
Background checks for employees with infrastructure access.

Infrastructure and Availability

GoCanvas is built on a highly available web application architecture utilizing best practices to achieve high availability, fault tolerance, and the capability to scale to meet future demands. The GoCanvas hosting environment and physical hardware are currently provided by Amazon Web Services Cloud Computing Services (AWS).

Amazon Web Services Cloud Computing Services security processes and practices are detailed in several white papers, reports, and certifications. These are available via the AWS security section of its product website and can be found at http://aws.amazon.com/security/.

GoCanvas maintains two separate infrastructures. One infrastructure is for https://www.gocanvas.com, which is hosted in a data center in the USA; the other is for https://au.gocanvas.com, which is hosted in a data center in Australia. Customer data does not flow between the two infrastructures. Within both regions, the hosting architecture, failover methodology, monitoring, and security are all held to the same standards, which follow best practices. In addition, Amazon Web Services maintains the same infrastructure and operating protocols across all regions.

Availability is monitored by a third-party and available for review at https://status.gocanvas.com/.

Disaster Recovery and Failover

GoCanvas leverages best practices for failover and recovery to ensure data integrity and service continuity. GoCanvas is hosted across several physical data centers to provide redundancy for each architecture component within the GoCanvas application stack. The data centers are located within different locations, separated by enough geographic distance to be isolated from any locally specific issues but close enough not to incur any latency issues when communicating between the regions. This availability is accomplished by leveraging several AWS availability zones within the relevant regions to support the GoCanvas infrastructure.

Configuration Management

GoCanvas employs industry best practices regarding software development (including source control, automated builds, and peer reviews) to ensure that change management and configuration management are performed consistently and securely. The GoCanvas software is developed and managed through a change management system, which is then versioned, built, and deployed automatically. By utilizing automated systems wherever possible, risk and potential downtime are minimized. In addition, the automated systems can roll back software deployments in worst-case scenarios.

Monitoring

The GoCanvas infrastructure has embedded monitoring tools at key points to evaluate performance and availability 24 hours a day, 7 days a week. When any performance metric is outside of operational bounds, a notification is sent to the appropriate team based on the severity and type of deviation. This allows GoCanvas to react to problems and proactively address potential issues.

Backups and Data Redundancy

The GoCanvas operational data store is replicated in near real-time to multiple data centers. If needed, this allows us to recover in real-time to a backup data center to ensure the system's availability and the integrity of your data. In addition, the complete operational data store is fully backed up nightly and isolated from the production environment. This added layer helps ensure the integrity of the data for the GoCanvas customers.

GoCanvas customer data is retained in backups for 90 days. This is a balance between our security, recovery, and privacy concerns. After the retention period, data is automatically removed from our backup infrastructure.

Authentication, Authorization, and Logging

All access to the GoCanvas servers and infrastructure is governed by the principle of “least privilege,” where only personnel who absolutely need to have access have it. Where appropriate, access is granted on a limited-time basis for personnel to execute a specific task, at which point it is revoked.

All access and remote file transfers always leverage industry-standard Transport Layer Security (“TLS”) version 1.2 or greater protocols to create a secure connection for data in transit. All access to the GoCanvas infrastructure is centrally logged and regularly reviewed for policy and procedural violations.

All remote web browser access to the GoCanvas website, which may display sensitive information and authorization information, must be accessed via HTTPS using TLS version 1.2 or greater. All access to the GoCanvas website and specific user information is logged and regularly reviewed for policy and procedural violations.

Account Security

GoCanvas secures credentials using industry best practices, including salting and hashing authentication passwords stored within the GoCanvas product. GoCanvas customers also have the ability, within their account settings, to configure password complexity, expiration, and lockout preferences for their GoCanvas account. In addition, GoCanvas integrates with both LDAP and SAML protocols for leveraging external authentication when desired by our customers.

For more information regarding password settings, visit the Help Center article, "Advanced Security Requirements for Passwords."

For more information regarding LDAP, visit the Help Center article, "Enable LDAP Authentication."

For more information regarding SAML, visit the Help Center article, "Enable and Configure Single Sign On (SSO)."

GoCanvas Network Security

GoCanvas servers reside behind a complete firewall solution, with all access defaulting to deny incoming traffic. Only the minimum necessary protocols and traffic are allowed access to the GoCanvas environment. Any changes to the firewall configuration require the appropriate access level and validation via the GoCanvas change management process. This validation prevents unauthorized access or modification of GoCanvas firewall rules. All firewall changes are reviewed by the security team every month and are analyzed by automated tooling.

Encrypted communication is required for all access to GoCanvas over a network interface, including the GoCanvas website and mobile device access, which may contain sensitive information.

GoCanvas Infrastructure Security

Our server infrastructure is a highly maintained and monitored environment. We follow best practices regarding real-time monitoring, security patching, and user access. All servers are integrated with an internal Intrusion Detection System (IDS) that monitors all changes and access made to the environments.

Security patching is scheduled based on standardized threat levels (CVE).

Patch Type	Description	Interval
Standard	Updated local packages that do not include a HIGH threat rating.	Applied to all environments no less than quarterly.
Critical	CVE rating HIGH/CRITICAL.	Immediately applied to test environments and applied to production after successful testing.

GoCanvas Data Security

All user-supplied information is encrypted using the industry-accepted AES encryption algorithm before being written to any permanent data storage (data at rest encryption). All backups and replication of the GoCanvas data store are also encrypted in the same manner.

All data stored by the GoCanvas client, whether it is data read from the GoCanvas server or data entered by a user, is encrypted using an encryption algorithm recognized as industry-approved before being stored on disk. The encryption algorithms utilized vary by device. The current algorithms are:

Client	Algorithm
Windows	AES 256
iOS	AES 256
Android	AES 128
AWS	AES 256

All communication with the GoCanvas server infrastructure is always secured by 256-bit TLS (currently 1.2), which cannot be disabled by a user of the GoCanvas client (data in transit encryption).

User-defined GoCanvas Data Security

In addition to the security controls enabled across the GoCanvas product, GoCanvas customers can also

choose to enable HIPAA compliance controls for a specific account. This feature sets a compliant user-idle timeout and automatically logs the user out of the system. The feature also restricts the saving of passwords on the user’s devices to comply with HIPAA. These controls are in place to prevent unauthorized data access if a mobile device is lost or a terminal is left unattended. In addition, GoCanvas disables all in-application email capabilities for accounts specified as being HIPAA compliant.

For more information regarding our HIPAA compliance settings, visit the Help Center article, "Is GoCanvas HIPAA compliant?"

Email Security

GoCanvas utilizes Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to provide email security. GoCanvas’ default email settings comply with SPF and DKIM standards, allowing customers to implement Domain-based Message Authentication Reporting and Conformance (DMARC) policies that quarantine or reject unauthenticated emails. GoCanvas also provides support for customers to set up DKIM when using a Custom Sender Email Address by adding a special digital signature to the outgoing emails, verifying that an email is from GoCanvas and hasn’t been altered during transit. This prevents attackers from sending fake emails that appear to come from your domain, protecting you from scams and ensuring the integrity of email communication.

For more information regarding Custom Email Sender, visit the Help Center article, "Setup a Custom Sender Email Address."

For more information regarding SPF, DKIM, and DMARC, visit the Help Center article, "Ensure Delivery of GoCanvas Emails."

Incident Response

GoCanvas maintains security management policies and procedures following current best practices. These processes and procedures are overseen by the Chief Technology Officer and are tested on an annual basis. These policies provide a framework for communication, classification, and resolution of incidents. As part of this process, we create possible attack scenarios based on our experience, the external threat environment, and threat intelligence to simulate and test our controls. These scenarios include, but are not limited to, data exfiltration, vulnerability remediation, unauthorized access to integrated systems, and zero-day response.

Vulnerability Management/Risk Management

At GoCanvas, the security of our products, infrastructure, and customer data is a top priority. We leverage different systems, technologies, and processes to identify, mitigate, and respond to vulnerabilities against the GoCanvas platform. To ensure the security of customer data, GoCanvas has invested in the following capabilities:

Regular penetration tests performed by external third parties,
Dynamic Application Security Testing (DAST),
Static Application Security Testing (SAST),
Software Composition Analysis (SCA),
Library and operating system vulnerability scanning.

Change Management

GoCanvas maintains a change management process for production releases and production changes. This includes a defined Software Development Life Cycle (SDLC), which incorporates documentation and ticketing associated with every software change. This formalized process reduces the risk of mistakes, unintentional interactions, and vulnerabilities in our code base. Additionally, GoCanvas implements a rigorous QA process with segmented environments for testing, validation, and sign-off before production releases occur. Infrastructure changes and updates follow a change control process, allowing proper checks and balances. This lets us quickly diagnose any erroneous system behavior and identify and correct the cause.

SOC 2 Compliance

GoCanvas has completed an independent audit for SOC 2 Type 2 compliance. This verification ensures that our controls and processes meet the highest security, availability, processing integrity, and confidentiality standards. GoCanvas uses SOC 2 compliance to manage risks, prevent data breaches, and keep GoCanvas highly-available. GoCanvas’ SOC2 report and other resources are available in our Trust Center.

Trust Center

GoCanvas maintains a Trust Center which provides our customers with security control information, resources about our security practices, compliance measures, and privacy policies. Within the Trust Center, customers can view the state of our security controls, review GoCanvas’ sub-processors, and review other security documentation, including our SOC2 report.

To learn more, visit the Help Center article, What is the GoCanvas Trust Center?"

Policies

Did we answer your question?

We'd really appreciate your feedback! If you decide to downvote, please leave your suggestions for improvement in the comments or let us know what you're looking for so we can assist you better. We want to help, but we need to understand your needs!

GoCanvas Security & Infrastructure Overview

Please review the GoCanvas Security & Infrastructure Overview below. This is the most up to date document as of 2024.

Table of Contents

Introduction