See previous versions of this and other policies in our Policy Archives.
This Statement of Technical and Organisational Measures is incorporated by reference into our Data Processing Addendum. It describes the minimum security standards that Canva applies to the Canva Services under the Subscription Service Agreement. Capitalised terms used but not defined in this Statement of Technical and Organisational Measures have the meanings in the Data Processing Addendum, including “Data” (which for the avoidance of doubt is limited to enterprise customer data, unless otherwise specified in your agreement with us).
1. Measures of pseudonymisation and encryption of personal data
Canva encrypts Data transmitted between customers and the Canva application over public networks using TLS 1.2 or higher. Customer Data stored on Canva’s servers is encrypted using AES 256 or stronger.
2. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
Canva has personnel responsible for oversight of security and privacy. It has appointed Heads of Security, Privacy and Data, together with an Information Security Committee that meets quarterly to discuss privacy and security risks managed in its risk registers.
3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
In order to support availability of the service, Canva utilises Amazon Web Services (AWS) auto scaling, AWS availability zones, extensive application and infrastructure monitoring, and 24x7 application support rosters.
Canva maintains backups of the data stores, including Customer Data, that support the core functionalities of the Canva application. Backups are stored in a location geographically-separated from the primary data storage location.
Canva maintains a security incident response capability that includes a documented Personal Data Incident Response Plan for security incidents involving Data. This defines how we contain, respond, assess, communicate incidents, as well as roles and responsibilities of Canva personnel and a requirement for post-incident reviews.
4. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
Canva engages a specialist third-party security tester to perform an annual penetration test of its application and infrastructure. Canva also employs a third-party application vulnerability scanning service and runs a public bug bounty program.
5. Measures for user identification and authorisation
Where a Customer’s account contains a password for authentication, Canva stores the password salted and hashed using an industry-standard password hashing function. Canva supports Single Sign On (SSO) integration with a customer identity provider using Security Assertion Markup Language (SAML).
6. Measures for the protection of data during transmission
As per item 1, Canva encrypts Data transmitted over public networks between customers and the Canva application using TLS 1.2 or higher.
7. Measures for the protection of data during storage
As per item 1, Customer Data stored on Canva’s servers is encrypted using AES 256 or stronger.
8. Measures for ensuring physical security of locations at which personal data are processed
The service is hosted and Data is stored within data centres provided by Amazon Web Services (AWS). As such, Canva relies on the physical, environmental and infrastructure controls of AWS. Canva periodically reviews certifications and third-party attestations provided by AWS relating to the effectiveness of its data centre controls.
9. Measures for ensuring events logging
Canva maintains application and infrastructure security audit logs. Audit logs are analysed to detect anomalous activity.
10. Measures for ensuring system configuration, including default configuration
Canva hardens its server infrastructure using a hardening standard based on a common industry standard. Canva applies security patches to its servers in accordance with its Vulnerability Management Procedure.
11. Measures for internal IT and IT security governance and management
Canva staff access to Customer Data is role-based and follows the principle of least privilege. Staff are only provided with sufficient access to Customer Data to be able to discharge their responsibilities effectively. Remote network access to Canva systems requires encrypted communication via secured protocols and use of multi-factor authentication. Canva has established and will maintain procedures for password management for its personnel, designed to ensure passwords are personal to each individual, and inaccessible to unauthorized persons, including at minimum:
- cryptographically protecting passwords when stored in computer systems or in transit over the network;
- altering default passwords from vendors; and
- education on good password practices.
Staff access to production infrastructure requires multi-factor authentication (MFA).
Canva staff are subject to confidentiality obligations and a Personal Data Handling Policy. Canva requires its staff to undergo information security awareness training, both at the commencement of their employment and then annually thereafter. Canva also requires its staff to undergo privacy law training annually (including to comply with COPPA and FERPA in respect of student data).
Canva has implemented privacy by design, including but not limited to, privacy impact assessments.
12. Measures for certification/assurance of processes and products
Canva will maintain an ISO 27001 certification, undergoing periodic external surveillance and recertification audits to ensure that its Information Security Management System (ISMS) meets the requirements of this standard.
Canva will maintain an information security policy that meets the requirements of the ISO 27001 standard, an internal audit program that assesses Canva’s ISMS and information security controls, and a management committee that is responsible for oversight of Canva’s Information Security Management System (ISMS).
13. Measures for ensuring data minimisation
Canva allows visitors to use certain functionalities of its platform anonymously and minimises the Data it requires from Customers to only what is necessary to provide the service requested.
14. Measures for ensuring data quality
Canva ensures the quality of its data through verification of emails that sign up to the canva.com platform. Canva also allows users to update the information in their accounts themselves or via requests to its customer support function, the Customer Happiness Team.
15. Measures for ensuring limited data retention
Canva maintains a Data Retention Policy setting out the retention periods for various types of data based on legal requirements, justified interests of Canva and the purposes of collection.
16. Measures for ensuring accountability
Canva has designated local representatives in Europe and the United Kingdom. Canva’s local representative in the European Economic Area is European Data Protection Office (EDPO) with registered address at Avenue Huart Hamoir 71, 1030 Brussels, Belgium. Our local representative in the United Kingdom is European Data Protection Office UK (EDPO UK) with registered address at 8 Northumberland Avenue, London WC2N 5BY, United Kingdom. Data Protection Impact Assessments are carried out for high risk processing activities and Canva maintains records of its processing activities.
17. Measures for allowing data portability and ensuring erasure
Canva has an automated process for deleting Customer Data on request within 28 days and enables the download Customer Data to provide to alternative service providers.