Security & Trust

How Canopy handles your data.

Plain-language answers about the infrastructure, access controls, and data practices behind Canopy.

Built on certified platforms.

Canopy runs on established managed-cloud providers whose security controls — physical data centers, access management, monitoring, and incident response — are independently audited against recognized standards such as SOC 2 Type II.

Canopy does not operate its own data centers or bare-metal servers. Specific provider details are available on request as part of a security review.

In transit and at rest.

All traffic between your browser and Canopy is encrypted in transit with TLS.

Stored data is encrypted at rest using industry-standard encryption provided by our managed-database platform. No unencrypted copies of your data are written to disk outside that managed environment.

Each community's data is kept separate.

Canopy enforces per-community isolation at the database level — not just in application code. These controls prevent any query from returning records belonging to another community. Even if application code contained a bug, the database itself would reject cross-community reads.

This isolation applies to leads, event data, photos, reviews, and all other records tied to a community.

OAuth and strong password hashing.

Users sign in through OAuth — meaning your credentials are verified by your identity provider, not stored in Canopy. We never see your sign-in password.

For accounts using a Canopy-managed password, passwords are protected with a strong, deliberately slow hashing algorithm designed to resist brute-force attacks before being written to the database. Plaintext passwords are never stored.

Prospect and resident contact information.

To power lead tracking and inquiry management, Canopy stores personally identifiable information (PII) submitted by prospects and their families: names, email addresses, and phone numbers. This data is tied to the community that received the inquiry and is subject to the tenant-isolation controls described above.

Canopy does not collect financial information, Social Security numbers, or health records.

Your data belongs to you.

The data you bring into Canopy — community details, leads, events, photos, and content — remains yours. You can request a full export or deletion of your community's data at any time by contacting us.

You own your data. You can request an export or deletion of your community's data at any time, and we'll honor it.

Categories of services that process your data.

Canopy relies on a small set of established service providers to deliver its service, grouped by role below. A current, named subprocessor list is available on request as part of a security review.

CategoryPurpose
Cloud hosting & deliveryRuns the application and serves it to your browser
Managed databaseStores your community's data
Identity & analyticsSign-in, business-profile data, and usage analytics
Call trackingCall attribution and lead tracking
AI image generationAI-assisted flyer and content image creation

Where we are — and where we're headed.

LiveToday
  • Certified infrastructure

    Hosted on established managed-cloud providers audited against recognized standards such as SOC 2 Type II.

  • Database-enforced tenant isolation

    Per-community data boundaries are enforced at the database layer, not just in application code.

  • Encryption in transit and at rest

    All traffic is protected by TLS, and stored data is encrypted at rest using industry-standard encryption.

  • Secure authentication

    Sign-in via OAuth. Canopy-managed passwords are protected with strong, slow hashing — never stored in plaintext.

PlannedPlanned
  • Independent penetration test

    We plan to commission a third-party penetration test of the Canopy application layer.

  • Security questionnaire (CAIQ-Lite)

    We plan to publish a CAIQ-Lite security questionnaire response, available on request.

RoadmapLater
  • SOC 2 (Canopy own audit)

    We plan to pursue a SOC 2 audit of Canopy as a product. We rely on our certified infrastructure partners in the meantime.

Need our security brief, subprocessor list, or questionnaire?

Reach out through the demo form and mention your security review needs. We'll respond directly and can provide additional documentation on request.

Contact us

To report a security vulnerability, please include “security” in your message subject.