Security
We take security seriously. Here's how we protect your data, your content, and your account.
All data is encrypted in transit (TLS 1.3) and at rest (AES-256). API keys are stored using one-way hashing. Generated content is encrypted in object storage.
Role-based access control (RBAC) for team accounts. SSO/SAML for Enterprise. MFA available for all users. API keys are scoped with granular permissions.
Generation workloads run on US-based infrastructure. Enterprise customers can choose data residency regions (US, EU, APAC). No data is stored in countries not specified by the customer.
Hosted on SOC 2 Type II certified cloud providers. Isolated compute environments for Enterprise. Network-level DDoS protection. 99.9% uptime SLA for Enterprise.
Generated content is retained for 30 days by default, then permanently deleted. Enterprise customers can customize retention periods (7 days to indefinite). Users can delete content immediately at any time.
24/7 automated monitoring for all production systems. Anomaly detection for abuse patterns. Security incidents escalated within 15 minutes. Post-incident reports published within 72 hours.
Our compliance program is designed to meet the requirements of the most demanding enterprise customers.
Audit started Q1 2026, expected completion Q3 2026
EU data processing agreement available. DPO appointed.
California consumer rights honored. Opt-out available.
Canvas Labs does not process protected health information.
Certification planned for Q4 2026.
If you discover a security vulnerability, we want to know about it. We operate a responsible disclosure program and will work with you to understand and address the issue.
Report vulnerabilities to security@canvaslabs.us
We acknowledge reports within 24 hours
No legal action against good-faith security researchers
Enterprise customers get additional security features including dedicated infrastructure, custom data retention, SSO/SAML, audit logs, and a dedicated security contact.
Contact Sales