Your trust is at the center of what we do and why security is a top priority for us. Our products, processes and systems are designed to protect our users and data.
We keep designs secure in transit and at rest. In transit, designs are only accessible via TLS/SSL, and at rest, designs are encrypted with AES256.
Our people and systems can only access the data they need to do their job and we store your designs with cloud providers who have top-tier physical security controls.
We use a global CDN to prevent network attacks and keep Canva highly available.
Our threat detection, logging and alerting systems notify our oncall teams about potential incidents.
We peer review and test our code prior to release, including manual and automated checks for security issues.
We only release software after qualifying it in development and staging environments.
We provide SSO and MFA options for users and enterprises to secure their accounts
Users can be assigned different roles to administer, manage, design or access content.
We welcome responsible security research. We run a bug bounty program and provide ways for security researchers to notify us of vulnerabilities in our products and environments.
Canva is committed to helping our users understand the rights and obligations under the General Data Protection Regulation (GDPR), which took effect on May 25, 2018.
We have introduced tools and processes to ensure we comply with GDPR requirements.
By default, all content you post on Canva is private.
All your private data is stored in systems that are only accessible via the Canva application.
When you log in to Canva, we give your Canva account access to the private files.
Your private designs can only be accessed by logging in to your account.
Your private designs cannot be accessed by anyone that is not logged in to Canva, or anyone using a different account unless you share your designs.
You share a design with a team by placing your design in a team folder.
When team members then log in to Canva, we give their Canva account access to these private files that have been placed in the team folder. Team members can also see any uploaded files included in the design.
If you publish a design publicly, this changes the privacy settings and the design can then be accessed by anyone that has the URL to the file.
Canva is ISO 27001 certified. This certification means that, as an organisation, we have the people, processes and systems in place to effectively identify, assess, treat and monitor our information security risks. It means that we aim to have security built into every facet of our operations, and that we strive to improve our security posture through a process of continuous improvement.
Yes. Our security team is comprised of dedicated Security Engineers who work across the company to ensure our product, platforms and operations are secure.
Yes. Our ISO 27001 certification requires us to have periodic external audits of our information security management system and security controls.
Canva employs specialist external services and tools to conduct multiple different types of security assessments.
We have partnered with BugCrowd to run a public bug bounty program, providing continuous crowdsourced security testing. Find out more about our bug bounty program here.
We also run weekly vulnerability scans against our production environments, and engage external penetration testers to conduct multiple penetration tests throughout the year.
Canva stores your data in the cloud using several types of storage, depending on the type of data, including databases, file storage and other systems.
Our systems are only accessible by people and services who need access.
We encrypt designs using AES256. This means that your designs are unreadable by someone with access to the disks holding your designs.
Canva operates in many countries that each have their own laws about data privacy and security.
Our legal team continually monitors the evolving regulatory landscape to identify changes and determine what action Canva needs to take to uphold our obligations in each jurisdiction.
We're here and ready to answer all of your questions about Canva security.