Skip to content

Security & Trust Overview

Canvas Software runs a browser-based Platform-as-a-Service on which your builders create and operate their own applications. The platform and your data are hosted exclusively in Germany, isolated per tenant, and encrypted at rest and in transit. This overview explains how we protect your data and where your responsibilities begin.

For the legal specifics, see our Privacy Policy (the data we process as controller: your website and account data) and our Data Processing Agreement (AVV / DPA) (the personal data your applications process, where you are the controller and Canvas Software is the processor).

  • Your personal data and the data your applications store and process stay exclusively in Germany (EU/EWR). There is no US data residency for your data.
  • Infrastructure hosting is provided by a single sub-processor in Germany (named in the DPA’s sub-processor annex). A second EU provider is reserved for customers subject to DORA and is activated only after prior notice.
  • No third-country transfer of the personal data your applications process. Standard Contractual Clauses or an adequacy decision are therefore not required for this processing.
  • One exception concerns AI source-code generation, not your data. The AI coding assistant may route code-generation workloads to an LLM provider outside the EU (for example in the US), alongside EU/Germany-hosted providers, self-hosted open-weight and open-source models, and Canvas Software’s own models. Only source code and build artifacts are involved, never your personal data (see “AI data handling”).

Isolation is the same across development, staging, and production environments:

  • Hardware-virtualization isolation per workload: each workload runs in its own virtualization-isolated sandbox, so a compromise stops at the virtualization boundary.
  • Separate namespaces per organization. Security policies (mandatory sandboxing, least-privilege, namespace isolation) are enforced automatically — a non-compliant workload is rejected before it runs, not merely detected afterward.
  • Default-deny network policies per tenant: workloads cannot reach each other unless explicitly allowed.
  • Production environments additionally receive dedicated, separately provisioned, isolated database, cache, and object-storage services.
  • At rest: disk encryption (AES-256) with network-bound key release (NBDE). Disks removed from the network cannot be decrypted.
  • In transit: TLS for all public-facing services; all internal traffic between hosts runs over an encrypted, WireGuard-based network overlay.
  • No public exposure of internal systems: servers are reachable only through the encrypted overlay, not directly from the public internet.
  • Role-based access control following the principle of least privilege, with central identity management (OIDC).
  • Multi-factor authentication on the central infrastructure and administration systems.
  • No shared administrator accounts. Privileged access uses dedicated, fully encrypted company devices with strong authentication and automatic screen lock.
  • Credentials and secrets are stored encrypted in a password manager or secrets vault, never in clear text.
  • Runtime threat detection with automated response — suspicious activity triggers automatic containment, including termination of the offending workload.
  • Audit logs for administrative and privileged actions.
  • Log retention: access logs 30 days, security and audit logs 90 days.
  • Continuously monitored operation with alerting.
  • Production environments are backed up automatically to a central backup system, with off-site copies kept in Germany.
  • Backups are encrypted with per-tenant keys and kept separated per tenant with restricted access.
  • Development and staging environments are not backed up automatically. By design: keep data that needs a backup in a production-grade environment.
  • A dedicated backup infrastructure is available as an Enterprise option.
  • You keep full control over and access to your application and its data at all times (access, export, deletion at application level). No lock-in.
  • At the end of a project, engagement, or hackathon, your production data is deleted by tearing down the tenant environment. In backups, the data becomes unreadable through cryptographic erasure (destroying the tenant-specific key) and through expiry of the retention periods.
  • Deletion or return is documented and evidenced on request.
  • We maintain a process to detect and respond to security incidents.
  • If a personal-data breach occurs within our processing scope, we notify you without undue delay, and at the latest within 48 hours of becoming aware of it, and we support you in meeting your notification duties.
  • Security and data-protection contact: support@canvas.software.

The platform’s AI coding assistant is built so that your production personal data never reaches a model:

  • The assistant processes your code, schemas, configuration, and build/test artifacts, not the personal data your application processes in production.
  • Real personal data must stay out of development environments, where the assistant operates. This is a contractual requirement.
  • Because no personal data from your applications is sent to a model, the model’s hosting location or provider (including a provider outside the EU) means no transfer of your personal data.
  • Code-generation workloads are routed across a mix of models (EU/Germany-hosted providers, self-hosted open-weight and open-source models, and Canvas Software’s own models), and may use a provider outside the EU for some workloads. In every case, only code and build artifacts are sent, never your personal data.
  • The LLM providers we use are contractually prohibited from training their models on your code or content.
  • Processing personal data with AI inside your own application is your design choice and your responsibility as controller.

Security is a shared model:

  • Canvas Software secures the platform and the underlying infrastructure (the measures above).
  • You secure the application you build: application-level access control, the lawful basis for your processing, and pseudonymization or minimization of the data you process. Keep real personal data in production-grade environments.

By default the platform is scoped to ordinary personal data. Processing special categories (Art. 9 GDPR) or criminal-conviction data (Art. 10 GDPR) requires a dedicated module to the DPA, with stricter measures, available under an Enterprise master agreement (Rahmenvertrag).

For security questionnaires, due-diligence requests, or documentation under NDA, contact support@canvas.software.