Skip to main content
Trust & Security

Security Practices

How Canny Technologies protects your code, data, and infrastructure — from secure development lifecycle to production monitoring and incident response.

Zero data breaches across 230+ client projects since 2019

Security Certifications & Alignments

AWS Partner
Certified AWS partner with access to security best practice guidance
ISO 27001 Alignment
Internal security controls aligned with ISO 27001 information security standard
HIPAA BAA Ready
Business Associate Agreements available for US healthcare clients
GDPR Compliant Operations
Data processing agreements available; EU data residency supported
DPDP Act Compliant
India Digital Personal Data Protection Act compliance for Indian client data
SOC 2 Type II Readiness
Controls mapped to SOC 2 Trust Service Criteria; formal audit in progress

Our Six Security Pillars

Secure Software Development Lifecycle

  • Threat modelling during architecture phase for every project
  • OWASP Top 10 review checklist on every PR
  • Mandatory code review by senior engineer before merge
  • Static analysis (SonarQube, ESLint security rules) in CI pipeline
  • Dependency vulnerability scanning (Snyk, npm audit) on every build
  • Secrets detection pre-commit hook (GitLeaks) — no API keys in code

Data Protection & Encryption

  • AES-256 encryption at rest for all client data on AWS/GCP
  • TLS 1.3 mandatory for all data in transit
  • Column-level encryption for PII (email, phone, financial data)
  • Encryption keys managed via AWS KMS or HashiCorp Vault — never in code
  • Database backups encrypted with separate key material
  • Client data logically isolated — no cross-client data access possible

Access Control & Authentication

  • Zero-trust network architecture — no implicit trust between services
  • MFA enforced for all internal developer accounts
  • Role-based access control on all client project repositories
  • Principle of least privilege: developers access only their project data
  • SSH keys required for server access — no password auth
  • VPN required for internal tooling access

Penetration Testing & Audits

  • Annual third-party VAPT (Vulnerability Assessment & Penetration Testing)
  • Per-project pen test for HIPAA, FinTech, and government projects
  • OWASP ZAP automated scanning in staging CI pipeline
  • Third-party security review available on client request
  • All findings tracked in security backlog with SLA for resolution
  • Security testing sign-off required before production launch

Infrastructure Security

  • All client infrastructure deployed in isolated AWS/GCP accounts
  • VPC with private subnets — no direct internet access to data layer
  • WAF (CloudFront + AWS WAF) on all public-facing applications
  • CloudTrail and CloudWatch logging — all API calls audited
  • GuardDuty enabled for threat detection
  • Infrastructure-as-code (Terraform) — no manual console changes in production

Incident Response

  • Documented incident response plan: detection → containment → eradication → recovery
  • 24-hour SLA for critical security incident notification to client
  • Post-incident root cause analysis shared with client
  • Immutable audit logs retained for minimum 12 months
  • Regular tabletop exercises to test incident response readiness
  • Zero security incidents resulting in data breach across 230+ projects

Code Ownership & IP Protection

What we sign before work begins

  • Mutual NDA covering all technical and business information
  • IP assignment clause — all work product vests in the client
  • BAA for HIPAA-covered US healthcare clients
  • DPA for GDPR-covered EU and UK clients
  • Data processing agreement aligned to DPDP Act for Indian clients

Code ownership practices

  • Client owns the repository from day one
  • No proprietary Canny libraries forced into client code
  • Full code handover with no lockout on termination
  • All third-party licences documented for client review
  • Open-source components only under permissive licences (MIT, Apache 2.0)

Responsible Disclosure

If you discover a security vulnerability in any Canny Technologies-built system or our own infrastructure, please report it responsibly.

Security email: [email protected]

PGP key: Available on request

Response SLA: 4 business hours for acknowledgement; 72 hours for initial assessment

Scope: cannytechnology.com and client systems where Canny has active engagements

Contact Security Team