GoCanvas Security Statement
Introduction
Our mission at GoCanvas is to simplify our customers’ lives by giving them the tools necessary to eliminate wasteful spending and reinvest in productivity. We believe protecting your data is one of our most important responsibilities, and are committed to being open and transparent about our security practices.
Canvas Solutions Inc. provides the GoCanvas SaaS product as a robust platform that equips GoCanvas customers with a stable, highly available, and secure solution to submit, store, and access data at all times. GoCanvas offers these capabilities across the mobile and hosted infrastructure of the GoCanvas product.
Access
At GoCanvas, we adhere to the principles of least privilege and rolebased permissions. Employees are only authorized to access data that they must handle to fulfill their current tasks or responsibilities. All production access is reviewed quarterly through automated and manual processes.
Sensitive Data Handling
The GoCanvas product is primarily self-serve, so customers can control the data collected using the GoCanvas platform. Following best practices such as encryption-at-rest and encryption-in-transit, GoCanvas ensures that collected data is handled securely. In addition to these best practices, GoCanvas implements several additional security measures to make sure data is handled appropriately, including:
- Security training for all employees
- GDPR/privacy training for all employees
- HIPAA training for all employees
- Least responsibility model for all employees
- Background checks for employees with infrastructure access
Sensitive Data Handling
GoCanvas is built on a highly available web application architecture utilizing best practices to achieve high availability, fault tolerance, and scaling capability to meet future demands. The GoCanvas hosting environment and physical hardware are currently provided by Amazon Web Services Cloud Computing Services (AWS).
AWS security processes and practices are detailed in several white papers, reports, and certifications. These are available via the AWS security section of the AWS product website and can be found at http://aws.amazon.com/security/.
GoCanvas maintains two separate infrastructures. One infrastructure is for https://www.gocanvas.com, which is hosted in a data center in the US., and the other is for https://au.gocanvas.com, which is hosted in a data center in Australia.
Customer data does not flow between the two infrastructures. Within both regions, the hosting architecture, failover methodology, monitoring, and security are all held to the same standards, which follow best practices. In addition, AWS maintains the same infrastructure and operating protocols across all regions. Availability is monitored by a third party and available for review at https://status.gocanvas.com/.
Disaster Recovery and Failover
GoCanvas leverages best practices for failover and recovery to ensure data integrity and service continuity. GoCanvas is hosted across several physical data centers to provide redundancy for each architecture component within the GoCanvas application stack. The data centers are located within different locations, separated by enough geographic distance to be isolated from any locally specific issues but close enough not to incur any latency issues when communicating between the regions. This availability is accomplished by leveraging several AWS availability zones within the relevant regions to support the GoCanvas infrastructure.
Configuration Management
GoCanvas employs industry best practices regarding software development (including source control, automated builds, and peer reviews) to ensure that change management and configuration management are performed consistently and securely. The GoCanvas software is developed and managed through a change management system, which is then versioned, built, and deployed automatically. By utilizing automated systems wherever possible, risk and potential downtime are minimized. In addition, the automated systems can roll back software deployments in worst-case scenarios.
Monitoring
The GoCanvas infrastructure has embedded monitoring tools at key points to evaluate performance and availability 24 hours a day, 7 days a week. When any performance metric is outside of operational bounds, a notification is sent to the appropriate team based on the severity and type of deviation. This allows GoCanvas to react to problems and proactively address potential issues.
Backups and Data Redundancy
The GoCanvas operational data store is replicated in near real time to multiple data centers. If needed, this allows us to recover in real time to a backup data center to ensure the system’s availability and the integrity of your data.
In addition, the complete operational data store is fully backed up nightly and isolated from the production environment. This added layer helps ensure data integrity for GoCanvas customers. GoCanvas customer data is retained in backups for 90 days. This is a balance between our security, recovery, and privacy concerns. After the retention period, data is automatically removed from our backup infrastructure.
Authentication, Authorization, and Logging
All access to GoCanvas servers and infrastructure is governed by the principle of least privilege, where only personnel who absolutely need access have it. Where appropriate, access is granted on a limited-time basis for personnel to execute a specific task, after which point it is revoked.
All access and remote file transfers always leverage industry-standard Transport Layer Security (TLS) version 1.2 or greater protocols to create a secure connection for data in transit. All access to the GoCanvas infrastructure is centrally logged and regularly reviewed for policy and procedural violations.
All remote web browser access to the GoCanvas website, which may display sensitive and authorization information, must be accessed via HTTPS using TLS version 1.2 or greater. All access to the GoCanvas website and specific user information is logged and regularly reviewed for policy and procedural violations.
Account Security
GoCanvas secures credentials using industry best practices, including salting and hashing authentication passwords stored within the GoCanvas product. Within their account settings, GoCanvas customers also have the ability to configure password complexity, expiration, and lockout preferences for their GoCanvas account. In addition, GoCanvas integrates with both LDAP and SAML protocols for leveraging external authentication when desired by our customers.
More information regarding password settings can be found in our password help topic: https://help.gocanvas.com/
hc/en-us/articles/115006654407-How-toadd-advanced-security-requirements-forpasswords
More information regarding LDAP can be found in our LDAP help topic: https://help.gocanvas.com/hc/en-us/
articles/115006830428-How-to-enableLDAP-authentication
More information regarding SAML can be found in our SAML help topic: https://help.gocanvas.com/hc/en-us/ articles/360000529108-How-to-enableand-configure-SSO
GoCanvas Network Security
GoCanvas servers reside behind a complete firewall solution, with all access defaulting to deny incoming traffic. Only the minimum necessary protocols and traffic are allowed access to the GoCanvas environment. Any changes to the firewall configuration require the appropriate access level and validation via the GoCanvas change management process. This validation prevents unauthorized access or modification of GoCanvas firewall rules. All firewall changes are reviewed by the security team every month and are analyzed by automated tooling.
Encrypted communication is required for all access to GoCanvas over a network interface—including access via the GoCanvas website and access via mobile device—to protect sensitive information.
GoCanvas Infrastructure Security
Our server infrastructure is a highly maintained and monitored environment. We follow best practices regarding real-time monitoring, security patching, and user access. All servers are integrated with an internal Intrusion Detection System (IDS) that monitors all changes and access to the environments.
Security patching is scheduled based on standardized threat levels (CVE).
| Patch Type | Description | Interval |
| Standard | Updated local packages that do not include a HIGH threat rating | Applied to all environments no less than quarterly. |
| Critical | CVE rating HIGH/CRITICAL | Immediately applied to test environments and applied to production after successful testing. |
GoCanvas Data Security
All user-supplied information is encrypted using the industry-accepted AES encryption algorithm before being written to any permanent data storage (data-at-rest encryption). All backups and replication of the GoCanvas data store are also encrypted in the same manner.
All data stored by the GoCanvas client, whether read from the GoCanvas server or entered by a user, is encrypted using AES encryption before being stored on disk. The encryption algorithms utilized vary by device. The current algorithms are:
| Client | Algorithm |
| Windows | AES 256 |
| iOS | AES 256 |
| Android | AES 128 |
| AWS | AES 256 |
All communication with the GoCanvas server infrastructure is secured by 256- bit TLS (currently 1.2), which cannot be disabled by a user of the GoCanvas client (data-in-transit encryption).
User-defined GoCanvas Data Security
In addition to the security controls enabled across the GoCanvas product, GoCanvas customers can also choose to enable HIPAA compliance controls for a specific account. This feature sets a compliant user-idle timeout and automatically logs the user out of the system. The feature also restricts the saving of passwords on user devices to comply with HIPAA.
These controls are in place to prevent unauthorized data access if a mobile device is lost or a terminal is left unattended. In addition, GoCanvas disables all in-application email capabilities for accounts specified as being HIPAA-compliant.
More information regarding our HIPAA compliance settings can be found in our HIPAA help topic:
https://help.gocanvas.com/hc/en-us/articles/115006594307-Is-GoCanvasHIPAA-compliant
Email Security
GoCanvas utilizes Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to provide email security. GoCanvas’ default email settings comply with SPF and DKIM standards, allowing customers to implement Domain-based Message Authentication Reporting and Conformance (DMARC) policies that quarantine or reject unauthenticated emails. GoCanvas also provides support for customers to set up DKIM when using a Custom Sender Email Address by adding a special digital signature to the outgoing emails, verifying that an email is from GoCanvas and hasn’t been altered during transit. This prevents attackers from sending fake emails that appear to come from your domain, protecting you from scams and ensuring the integrity of email communication.
More information regarding Custom Sender Email Addresses can be found in our Custom Sender Email Address help topic: https://help.gocanvas.com/hc/en-us/articles/115006847468-How-to-Setup-aCustom-Sender-Email-Address
More information regarding SPF, DKIM, and DMARC can be found in our email delivery help topic: https://help.gocanvas.com/hc/en-us/articles/23669436217751-How-To-EnsureGoCanvas-Email-Delivery
Incident Response
GoCanvas maintains security management policies and procedures following current best practices. These processes and procedures are overseen by the Chief Technology Officer and are tested on an annual basis. These policies provide a framework for communication, classification, and resolution of incidents. As part of this process, we create possible attack scenarios based on our experience, the external threat environment, and threat intelligence to simulate and test our controls. These scenarios include but are not limited to data exfiltration, vulnerability remediation, unauthorized access to integrated systems, and zeroday response.
Vulnerability Management/Risk Management
At GoCanvas, the security of our products, infrastructure, and customer data is a top priority. We leverage different systems, technologies, and processes to identify, mitigate, and respond to vulnerabilities. To ensure the security of customer data, GoCanvas has invested in the following capabilities:
- Regular penetration tests performed by external third parties
- Dynamic Application Security Testing (DAST)
- Static Application Security Testing (SAST)
- Software Composition Analysis (SCA)
- Library and operating system vulnerability scanning
ChangeManagement
GoCanvas maintains a change management process for production releases and changes, which includes a defined Software Development Life Cycle (SDLC) that incorporates documentation and ticketing associated with every software change. This formalized process reduces the risk of mistakes, unintentional interactions, and vulnerabilities in our code base. Additionally, GoCanvas implements a rigorous QA process with segmented environments for testing, validation, and sign-off before production releases occur. Infrastructure changes and updates follow a change control process, allowing proper checks and balances. This lets us quickly diagnose any erroneous system behavior then identify and correct the cause.
Policies
SOC 2 Compliance
GoCanvas has completed an independent audit for SOC 2 Type 2 compliance. This verification ensures that our controls and processes meet the highest security, availability, processing integrity, and confidentiality standards. GoCanvas uses SOC 2 compliance to manage risks, prevent data breaches, and keep GoCanvas highly available. GoCanvas’ SOC2 report and other resources are available in our Trust Center.
Trust Center
GoCanvas maintains a Trust Center that provides our customers with information and resources about our security practices, compliance measures, and privacy policies. Within the Trust Center, customers can view the state of our security controls, review GoCanvas’ subprocessors, and access other security documentation, including our SOC2 report.