Security & Trust
How Canopy handles your data.
Plain-language answers about the infrastructure, access controls, and data practices behind Canopy.
Infrastructure
Built on certified platforms.
Canopy runs on established managed-cloud providers whose security controls — physical data centers, access management, monitoring, and incident response — are independently audited against recognized standards such as SOC 2 Type II.
Canopy does not operate its own data centers or bare-metal servers. Specific provider details are available on request as part of a security review.
Encryption
In transit and at rest.
All traffic between your browser and Canopy is encrypted in transit with TLS.
Stored data is encrypted at rest using industry-standard encryption provided by our managed-database platform. No unencrypted copies of your data are written to disk outside that managed environment.
Tenant isolation
Each community's data is kept separate.
Canopy enforces per-community isolation at the database level — not just in application code. These controls prevent any query from returning records belonging to another community. Even if application code contained a bug, the database itself would reject cross-community reads.
This isolation applies to leads, event data, photos, reviews, and all other records tied to a community.
Authentication
OAuth and strong password hashing.
Users sign in through OAuth — meaning your credentials are verified by your identity provider, not stored in Canopy. We never see your sign-in password.
For accounts using a Canopy-managed password, passwords are protected with a strong, deliberately slow hashing algorithm designed to resist brute-force attacks before being written to the database. Plaintext passwords are never stored.
What we store
Prospect and resident contact information.
To power lead tracking and inquiry management, Canopy stores personally identifiable information (PII) submitted by prospects and their families: names, email addresses, and phone numbers. This data is tied to the community that received the inquiry and is subject to the tenant-isolation controls described above.
Canopy does not collect financial information, Social Security numbers, or health records.
Data ownership
Your data belongs to you.
The data you bring into Canopy — community details, leads, events, photos, and content — remains yours. You can request a full export or deletion of your community's data at any time by contacting us.
You own your data. You can request an export or deletion of your community's data at any time, and we'll honor it.
Subprocessors
Categories of services that process your data.
Canopy relies on a small set of established service providers to deliver its service, grouped by role below. A current, named subprocessor list is available on request as part of a security review.
| Category | Purpose |
|---|---|
| Cloud hosting & delivery | Runs the application and serves it to your browser |
| Managed database | Stores your community's data |
| Identity & analytics | Sign-in, business-profile data, and usage analytics |
| Call tracking | Call attribution and lead tracking |
| AI image generation | AI-assisted flyer and content image creation |
Security roadmap
Where we are — and where we're headed.
Certified infrastructure
Hosted on established managed-cloud providers audited against recognized standards such as SOC 2 Type II.
Database-enforced tenant isolation
Per-community data boundaries are enforced at the database layer, not just in application code.
Encryption in transit and at rest
All traffic is protected by TLS, and stored data is encrypted at rest using industry-standard encryption.
Secure authentication
Sign-in via OAuth. Canopy-managed passwords are protected with strong, slow hashing — never stored in plaintext.
Independent penetration test
We plan to commission a third-party penetration test of the Canopy application layer.
Security questionnaire (CAIQ-Lite)
We plan to publish a CAIQ-Lite security questionnaire response, available on request.
SOC 2 (Canopy own audit)
We plan to pursue a SOC 2 audit of Canopy as a product. We rely on our certified infrastructure partners in the meantime.
Security contact
Need our security brief, subprocessor list, or questionnaire?
Reach out through the demo form and mention your security review needs. We'll respond directly and can provide additional documentation on request.
To report a security vulnerability, please include “security” in your message subject.