Canapii security

Version 1.1  Updated 5 March 2021

Security statement

At Canapii we are committed to protecting your personal data, the integrity of our systems and information security, and the availability of our software. Canapii has key security controls in place to protect your data, and is consistently monitoring its posture, controls, and policies to maintain and improve. These key controls are listed below. Our security strategy covers all aspects of our business, including:

  • Canapii security policies

  • Network and data centre security

  • IT infrastructure and operational security processes

  • Training and awareness for all Canapii employees and contractors

  • Scalability and reliability of system architecture

  • Application security

  • Systems development and maintenance

  • Service development and maintenance

  • Data privacy

  • Guidance and consultation from third party security experts

Security statement

Privacy Policy

At Canapii we are committed to protecting your personal data. Canapii’s Privacy Policy (Canapii.com/privacy) clearly outlines how Canapii collects and processes your personal data through use of Canapii’s products and services, in addition to any applications or online tools containing reference to this policy.

GDPR

Canapii is compliant with the European Union’s General Data Protection Regulation (GDPR). We use the EU Commission approved standard contractual clauses to protect personal data transferred from the EEA to the United States.

UK Data Protection Act

Canapii is compliant with the Data Protection Act 2018. We also use the E.U Commission approved standard contractual clauses to protect personal data transferred from the UK to the United States.

PCI-DDS

Canapii outsources its cardholder functions to PCI-DSS Level 1 service provider Stripe. Stripe has been audited by an independent PCI Qualified Security Assessor (QSA) and is certified as a PCI Level 1 Service Provider. This is the most stringent level of certification available in the payments industry.

Employee security

Principle of Least Privilege

Canapii access operates on a principle of Least Privilege. Canapii’s access control policy reduces the risk of access by unauthorized persons. The allocation of privileged access rights is restricted, controlled and not provided by default. The authorisation for the use of such accounts is only provided explicitly, upon written request from Canapii Senior Management, and is documented by the system owner. Canapii’s IT Department guards against issuing privilege rights to entire teams to prevent potential losses of confidentiality and/or integrity.

Access controls

Access rights are accorded following the principles of least privilege, need to know and the classification levels of information processed within that application/system. Rights are granted to roles rather than individuals for ease of management. Access to our systems is based upon a documented, approved request process and requires two-factor authentication. User’s identities are verified prior to creation of accounts.

Regular verifications take place to determine that the owner of a user ID is still employed and assigned to the appropriate role. Access is also restricted by system permissions using a least privilege policy and defined by the documented business need. Exceptions identified during the verification process are assessed and approved accordingly. Business need privilege is reviewed on a quarterly basis to determine that access is in line with the users’ job function. Exceptions identified during the review are assessed and approved accordingly. User access is revoked immediately upon termination of employment or change of job role.

Password management

Passwords are a vital aspect of IT Security. Employees must use strong passwords, created as per guidance in Canpii’s password management policy. Passwords are maintained in accordance with the policy.

Employee devices

All PCs are secured via full Bitlocker disk encryption and managed by IT admin. Canapii diligently apply updates to employee’s PCs and install software to actively monitor for malware and viruses. We can remotely access employee’s devices to apply critical updates or to wipe sensitive data.

Security awareness

Canapii has a robust Security Awareness and Training Program in place. Training is delivered monthly to all employees no matter job title or role type. All new hires first training module takes place within 30 days of their start date, they are also required to read Canapii’s key security policies within this period. Additional Security Training takes place in response to specific departmental requirements, most often for developer and HR teams. Training topics include GDPR and data legislation, remote working security, password management, network security and secure coding.

Employee onboarding

Canapii is a global organization that hires for multiple job roles in multiple countries. Canapii’s onboarding and recruitment policy applies to both full/part time employees and contractors and is aligned to Canapii’s Least Privilege role type. All Canapii employees undergo a background check prior to employment.

Confidentiality agreements

All Canapii employees are required to sign Non-Disclosure and Confidentiality agreements.

Information security policies and program

Canapii has a comprehensive set of information security policies covering a range of topics. These policies include key items such as incident review procedures, access control, secure software development, secure browsing, and IT security standards. Policies are shared with all employees in Canapii’s shared employee resource space, including all new hires within 30 days of their start date.

Availability, uptime, and continuity

Uptime

Canapii is deployed on public cloud infrastructure with a guaranteed high level of availability. Services are deployed in a distributed network with load balancers and scale in response to demand. Simulated load and data response times are incorporated into our testing and release cycle.

Incident procedure

Canapii has a swift, effective response to potential cyber-security events. All staff are aware of, and follow, the Canapii Incident Management Procedure. This ensures staff outside of dedicated security and IT heads are trained to recognize a potential security incident. Beyond our internal expertise, Canapii additionally works with an Information Security Service provider to manage procedure response.

Application security

Incident procedure

Canapii takes the confidentiality, integrity and availability of its proprietary information and its client’s data seriously and sees Information Security as an enabler for ensuring these fundamental aspects of Software Design are provisioned.

Environment segregation

Canapii supports testing, staging and production environments. No customer data is used in any testing or staging environment.

Software development lifecycle

Additionally, Canapii supports a CI/CD workflow for its development team that includes clear ‘sign off’ procedures, automated set tests and quality assurance implementation between staging and production environments.

In addition to a list where all access control changes are published, we have a suite of automated unit tests that check that access control rules are written correctly and enforced as expected. We also work with third-party security professionals to:

  • Test our code for common exploits

  • Use network scanning tools against our production servers

Quality assurance

Canapii has dedicated Quality Assurance members within its security and development teams. The QA team reviews and tests code in the testing and staging environments. There is a segregation of duties between dedicated QA members and developers. Canapii investigates and recommends remediations of security vulnerabilities within code. Occasionally when required Canapii deploys a third-party Quality Assurance company in a secure production environment to support user experience updates and streamline flaw management across devices and browsers.

Two factor authentication and user verification

Canapii uses verification and Two Factor Authentication (2FA) to verify users accessing the live Canapii platform, and therefore all events.

Monitoring and logging

Canapii uses AWS CloudWatch to monitor and log behaviour within its applications.

Data Center security

Architecting secure serverless applications

Canapii operates a serverless environment for its application. This allows Canapii to run and scale its application with high availability. Security and compliance are shared responsibilities between AWS and Canapii.

Facilities

Canapii uses Amazon Web Services (AWS) for data center hosting. AWS data centers are certified as ISO 27001, PCI DSS Service Provider Level 1, and or SOC 1 and 2 compliant. AWS employs robust controls to secure the availability and security of their systems. This includes measures such as backup power, fire detection and suppression equipment, secure device destruction amongst others.

On-Site Security

AWS data center physical security begins at the Perimeter Layer. This Layer includes a number of security features depending on the location, such as security guards, fencing, security feeds, intrusion detection technology, and other security measures.

Redundancy

AWS data centers are designed to anticipate and tolerate failure while maintaining service levels. In case of failure, automated processes move traffic away from the affected area. Core applications are deployed to an N+1 standard, so that in the event of a data center failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.

Network security

Dedicated security members

Canapii has dedicated IT employees and security consultants in place to monitor, improve and respond.

Third-party penetration tests

Third party penetration tests are conducted at least twice per year, and often more frequently, once per quarter. Penetration testing techniques validate discovered vulnerabilities to determine the overall risk of any or all discovered risks. Canapii has a vulnerability remediation procedure in place designed to track and mediate.

Threat detection

Canapii leverages threat detection services within AWS to continuously monitor for malicious and unauthorised activity.

Vulnerability scanning

We perform regular internal scans for vulnerability scanning of infrastructure. Where issues are identified these are tracked until remediation.

DDoS mitigation

Canapii utilizes native AWS tools and application specific mitigation techniques.

Network Access controls

Canapii access operates on a principle of Least Privilege, as described above. Canapii’s access control policy reduces the risk of access by unauthorized persons. The allocation of privilege rights is restricted, controlled and not provided by default. The authorisation for the use of such accounts is only provided explicitly, upon written request from Canapii Senior Management, and is documented by the system owner. Canapii’s IT Department guards against issuing privilege rights to entire teams to prevent potential losses of confidentiality and/or integrity. Two factor authentication is required for all production systems.

Encryption

In Transit

Communication to and from Canapii over public networks is encrypted with TLS 1.2 or higher. We adopt current leading practices for Cipher adoption and TLS configuration.

At Rest

Canapii’s data is encrypted at rest with industry standard AES-256 encryption.

Certifications

Canapii uses Amazon AWS for data center hosting. AWS data centers are certified as ISO 27001, PCI DSS Service Provider Level 1, and or SOC 1 and 2 compliant.

Canapii outsources its cardholder functions to a PCI-DSS Level 1 service provider. A copy of our SAQ-A can be available on request.

Canapii is audited regularly by third-party security agent CyberGRX to access its vulnerabilities and continually improve its posture. Canapii is in the process of becoming CyberEssentials Plus certified.

Third party security

Third party sub processors

Canapii works with third parties to improve the service and products it provides to you, to provide core infrastructure, and support its processes. Canapii understands the risks associated with third party management when managed poorly and all vendors Canapii works with are evaluated in line with Canapii’s Vendor Management Policy.

Third party

Location

Service

DPA

Amazon AWS

EU (IE)

Application hosting and data storage

Papertrail

US

Manage and monitor

Zoom

US, EU, HK

Video conferencing SDK

Stripe

EU & US

Payment processing

On request

Hubspot

AWS (EU & US)

Sales, marketing and services CRM

Chargify

US

Subscription management and invoicing

On request

Microsoft 365

EU

Internal collaboration, SharePoint, emails, and Office applications

Asana

EU

Project management

Contacting Canapii

If you have any specific concerns or questions about Canapii security, please contact info@canapii.com with reference ‘Security001Can’.

Any grievance or complaint in relation to the processing of information, should be sent to Canapii at info@canapii.com. Grievances shall be redressed as expeditiously as possible. We would appreciate the chance to deal with your concerns before you approach any formal Information Security organism, so please contact us first.