Security

Our Commitment

At Kanvas, security is foundational to everything we build. Your team trusts us with critical project data, conversations, and documents — and we take that responsibility seriously. This page outlines the measures we take to protect your data and keep your workspace secure.

Infrastructure Security

• Cloud hosting: Kanvas is hosted on enterprise-grade cloud infrastructure with automatic scaling, redundancy, and disaster recovery capabilities.
• Network security: All traffic is routed through firewalls and DDoS protection. Internal services communicate over private networks with strict access controls.
• Geographic redundancy: Data is replicated across multiple availability zones to ensure high availability and resilience.
• Monitoring: 24/7 infrastructure monitoring with automated alerting for anomalies, performance degradation, and potential security incidents.

Data Encryption

• In transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3. We enforce HTTPS on all connections and use HSTS headers.
• At rest: All stored data, including database records, file attachments, and backups, is encrypted using AES-256 encryption.
• Key management: Encryption keys are managed through secure key management services with automatic rotation and access logging.

Application Security

• Authentication: Secure authentication with support for email/password, Google OAuth, and GitHub OAuth. Passwords are hashed using bcrypt with appropriate cost factors.
• SSO and SAML: Enterprise plans support Single Sign-On (SSO) and SAML 2.0 for centralized identity management.
• Row-level security (RLS): Our database enforces row-level security policies ensuring users can only access data within their authorized workspaces.
• Session management: Secure, httpOnly cookies with strict SameSite policies. Sessions expire after inactivity and can be revoked remotely.
• Input validation: All user inputs are validated and sanitized on both client and server to prevent injection attacks (SQL injection, XSS, CSRF).
• Rate limiting: API endpoints are rate-limited to prevent abuse and brute-force attacks.

Multi-Tenant Data Isolation

Kanvas uses a multi-tenant architecture with strict workspace isolation:

• Every database query is scoped to the authenticated user's workspace through row-level security policies.
• Workspace data is logically isolated — no workspace can access another workspace's data under any circumstances.
• File storage is organized by workspace with separate access controls.
• API requests are authenticated and authorized at every layer before data is returned.

AI Security

Our AI features are designed with security and privacy at the core:

• No model training on your data: Your workspace content is never used to train AI models. Data sent to AI providers (Anthropic, OpenAI) is used solely for real-time processing and is not retained.
• Scoped context: AI requests only include data from the current workspace and are scoped to the user's permissions.
• Data minimization: We send the minimum context necessary for each AI request to reduce exposure.
• Opt-out available: AI features can be fully disabled at the workspace level.

Access Controls

• Role-based access: Workspace members are assigned roles (Owner, Admin, Member, Guest) with granular permissions for projects, channels, and documents.
• Principle of least privilege: Internal team access to production systems is restricted to essential personnel with just-in-time access.
• Audit logging: All administrative actions, permission changes, and sensitive operations are logged with timestamps and actor identification.
• Employee access: Kanvas employees do not access customer workspace data unless explicitly authorized by the customer for support purposes.

Backup and Recovery

• Automated backups: Full database backups are performed daily with point-in-time recovery capability.
• Backup encryption: All backups are encrypted at rest using AES-256.
• Recovery testing: Backup restoration procedures are tested regularly to ensure data can be recovered in the event of an incident.
• Retention: Backups are retained for 30 days.

Vulnerability Management

• Dependency scanning: Automated scanning of all third-party dependencies for known vulnerabilities, with alerts for critical updates.
• Code review: All code changes undergo peer review before deployment, with security-focused review for sensitive areas.
• Penetration testing: Regular third-party penetration testing to identify and address potential vulnerabilities.
• Responsible disclosure: We welcome security researchers to report vulnerabilities to security@getkanvas.ai. We commit to acknowledging reports within 48 hours and providing updates on remediation.

Incident Response

We maintain a documented incident response plan that includes:

• Defined roles, escalation procedures, and communication protocols.
• Notification of affected customers within 72 hours of discovering a confirmed data breach, in accordance with GDPR and applicable regulations.
• Post-incident review and root cause analysis to prevent recurrence.
• Transparent communication about the incident, its impact, and remediation steps.

Compliance

• GDPR: We comply with the General Data Protection Regulation. See our GDPR Compliance page for details.
• Data Processing Agreements: Available for enterprise customers upon request.
• SOC 2: We are working toward SOC 2 Type II certification.

Contact Us

If you have security concerns, want to report a vulnerability, or have questions about our security practices, please contact us:

• Email: security@getkanvas.ai
• For urgent security issues, include "URGENT" in the subject line.