Version 1.1 Updated 5 March 2021
At Canapii we are committed to protecting your personal data, the integrity of our systems and information security, and the availability of our software. Canapii has key security controls in place to protect your data, and is consistently monitoring its posture, controls, and policies to maintain and improve. These key controls are listed below. Our security strategy covers all aspects of our business, including:
At Canapii we are committed to protecting your personal data. Canapii’s Privacy Policy (Canapii.com/privacy) clearly outlines how Canapii collects and processes your personal data through use of Canapii’s products and services, in addition to any applications or online tools containing reference to this policy.
Canapii is compliant with the European Union’s General Data Protection Regulation (GDPR). We use the EU Commission approved standard contractual clauses to protect personal data transferred from the EEA to the United States.
Canapii is compliant with the Data Protection Act 2018. We also use the E.U Commission approved standard contractual clauses to protect personal data transferred from the UK to the United States.
Canapii outsources its cardholder functions to PCI-DSS Level 1 service provider Stripe. Stripe has been audited by an independent PCI Qualified Security Assessor (QSA) and is certified as a PCI Level 1 Service Provider. This is the most stringent level of certification available in the payments industry.
Canapii access operates on a principle of Least Privilege. Canapii’s access control policy reduces the risk of access by unauthorized persons. The allocation of privileged access rights is restricted, controlled and not provided by default. The authorisation for the use of such accounts is only provided explicitly, upon written request from Canapii Senior Management, and is documented by the system owner. Canapii’s IT Department guards against issuing privilege rights to entire teams to prevent potential losses of confidentiality and/or integrity.
Access rights are accorded following the principles of least privilege, need to know and the classification levels of information processed within that application/system. Rights are granted to roles rather than individuals for ease of management. Access to our systems is based upon a documented, approved request process and requires two-factor authentication. User’s identities are verified prior to creation of accounts.
Regular verifications take place to determine that the owner of a user ID is still employed and assigned to the appropriate role. Access is also restricted by system permissions using a least privilege policy and defined by the documented business need. Exceptions identified during the verification process are assessed and approved accordingly. Business need privilege is reviewed on a quarterly basis to determine that access is in line with the users’ job function. Exceptions identified during the review are assessed and approved accordingly. User access is revoked immediately upon termination of employment or change of job role.
Passwords are a vital aspect of IT Security. Employees must use strong passwords, created as per guidance in Canpii’s password management policy. Passwords are maintained in accordance with the policy.
All PCs are secured via full Bitlocker disk encryption and managed by IT admin. Canapii diligently apply updates to employee’s PCs and install software to actively monitor for malware and viruses. We can remotely access employee’s devices to apply critical updates or to wipe sensitive data.
Canapii has a robust Security Awareness and Training Program in place. Training is delivered monthly to all employees no matter job title or role type. All new hires first training module takes place within 30 days of their start date, they are also required to read Canapii’s key security policies within this period. Additional Security Training takes place in response to specific departmental requirements, most often for developer and HR teams. Training topics include GDPR and data legislation, remote working security, password management, network security and secure coding.
Canapii is a global organization that hires for multiple job roles in multiple countries. Canapii’s onboarding and recruitment policy applies to both full/part time employees and contractors and is aligned to Canapii’s Least Privilege role type. All Canapii employees undergo a background check prior to employment.
All Canapii employees are required to sign Non-Disclosure and Confidentiality agreements.
Canapii has a comprehensive set of information security policies covering a range of topics. These policies include key items such as incident review procedures, access control, secure software development, secure browsing, and IT security standards. Policies are shared with all employees in Canapii’s shared employee resource space, including all new hires within 30 days of their start date.
Canapii is deployed on public cloud infrastructure with a guaranteed high level of availability. Services are deployed in a distributed network with load balancers and scale in response to demand. Simulated load and data response times are incorporated into our testing and release cycle.
Canapii has a swift, effective response to potential cyber-security events. All staff are aware of, and follow, the Canapii Incident Management Procedure. This ensures staff outside of dedicated security and IT heads are trained to recognize a potential security incident. Beyond our internal expertise, Canapii additionally works with an Information Security Service provider to manage procedure response.
Canapii takes the confidentiality, integrity and availability of its proprietary information and its client’s data seriously and sees Information Security as an enabler for ensuring these fundamental aspects of Software Design are provisioned.
Canapii supports testing, staging and production environments. No customer data is used in any testing or staging environment.
Additionally, Canapii supports a CI/CD workflow for its development team that includes clear ‘sign off’ procedures, automated set tests and quality assurance implementation between staging and production environments.
In addition to a list where all access control changes are published, we have a suite of automated unit tests that check that access control rules are written correctly and enforced as expected. We also work with third-party security professionals to:
Canapii has dedicated Quality Assurance members within its security and development teams. The QA team reviews and tests code in the testing and staging environments. There is a segregation of duties between dedicated QA members and developers. Canapii investigates and recommends remediations of security vulnerabilities within code. Occasionally when required Canapii deploys a third-party Quality Assurance company in a secure production environment to support user experience updates and streamline flaw management across devices and browsers.
Canapii uses verification and Two Factor Authentication (2FA) to verify users accessing the live Canapii platform, and therefore all events.
Canapii uses AWS CloudWatch to monitor and log behaviour within its applications.
Canapii operates a serverless environment for its application. This allows Canapii to run and scale its application with high availability. Security and compliance are shared responsibilities between AWS and Canapii.
Canapii uses Amazon Web Services (AWS) for data center hosting. AWS data centers are certified as ISO 27001, PCI DSS Service Provider Level 1, and or SOC 1 and 2 compliant. AWS employs robust controls to secure the availability and security of their systems. This includes measures such as backup power, fire detection and suppression equipment, secure device destruction amongst others.
AWS data center physical security begins at the Perimeter Layer. This Layer includes a number of security features depending on the location, such as security guards, fencing, security feeds, intrusion detection technology, and other security measures.
AWS data centers are designed to anticipate and tolerate failure while maintaining service levels. In case of failure, automated processes move traffic away from the affected area. Core applications are deployed to an N+1 standard, so that in the event of a data center failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.
Canapii has dedicated IT employees and security consultants in place to monitor, improve and respond.
Third party penetration tests are conducted at least twice per year, and often more frequently, once per quarter. Penetration testing techniques validate discovered vulnerabilities to determine the overall risk of any or all discovered risks. Canapii has a vulnerability remediation procedure in place designed to track and mediate.
Canapii leverages threat detection services within AWS to continuously monitor for malicious and unauthorised activity.
We perform regular internal scans for vulnerability scanning of infrastructure. Where issues are identified these are tracked until remediation.
Canapii utilizes native AWS tools and application specific mitigation techniques.
Canapii access operates on a principle of Least Privilege, as described above. Canapii’s access control policy reduces the risk of access by unauthorized persons. The allocation of privilege rights is restricted, controlled and not provided by default. The authorisation for the use of such accounts is only provided explicitly, upon written request from Canapii Senior Management, and is documented by the system owner. Canapii’s IT Department guards against issuing privilege rights to entire teams to prevent potential losses of confidentiality and/or integrity. Two factor authentication is required for all production systems.
Communication to and from Canapii over public networks is encrypted with TLS 1.2 or higher. We adopt current leading practices for Cipher adoption and TLS configuration.
Canapii’s data is encrypted at rest with industry standard AES-256 encryption.
Canapii uses Amazon AWS for data center hosting. AWS data centers are certified as ISO 27001, PCI DSS Service Provider Level 1, and or SOC 1 and 2 compliant.
Canapii outsources its cardholder functions to a PCI-DSS Level 1 service provider. A copy of our SAQ-A can be available on request.
Canapii is audited regularly by third-party security agent CyberGRX to access its vulnerabilities and continually improve its posture. Canapii is also CyberEssentials Plus certified.
Canapii works with third parties to improve the service and products it provides to you, to provide core infrastructure, and support its processes. Canapii understands the risks associated with third party management when managed poorly and all vendors Canapii works with are evaluated in line with Canapii’s Vendor Management Policy.
Amazon AWS
EU (IE)
Application hosting and data storage
Stripe
EU & US
Payment processing
On request
Chargify
US
Subscription management and invoicing
On request
Microsoft 365
EU
Internal collaboration, SharePoint, emails, and Office applications
If you have any specific concerns or questions about Canapii security, please contact info@canapii.com with reference ‘Security001Can’.
Any grievance or complaint in relation to the processing of information, should be sent to Canapii at info@canapii.com. Grievances shall be redressed as expeditiously as possible. We would appreciate the chance to deal with your concerns before you approach any formal Information Security organism, so please contact us first.