We’re SOC 2 Type II Compliant! Here’s What That Means for You
Keeping our users’ data secure at all times is our highest priority.
The infrastructure we’re building at Canopy Connect enables consumers to securely and quickly share their insurance data. We believe that comes with a lot of responsibility and that we need to be worthy of trust.
We really mean it when we say we take security and privacy seriously, but we think to be worthy of your trust we need to show you.
So, we got SOC 2 Type 2 certified. That means we had an independent auditor evaluate our product, infrastructure, policies and governance over an extended period of time, and certify that we meet or exceed specific levels of controls and processes to keep data secure. This took our team a lot of work over the past year, and I’m so glad we can finally share this news publicly.
Security at Canopy Connect
With this announcement, we thought we’d peel back the curtain a bit and share more about how we keep data secure at Canopy Connect.
In this post, we'll go over cloud security, data encryption, business continuity and disaster recovery, and application security monitoring.
Cloud Security
Our services run in a virtual private cloud (VPC), and our data center is tier IV, SOC 2, and ISO 27001 compliant.
Our network architecture is composed of multiple availability zones and clearly delineated subnets for public and private traffic. We’ve built an Intrusion Detection (IDS) solution that monitors and alerts on potential malicious traffic both internally and externally.
Data Encryption
All data is encrypted at rest and in transit.
All data sent to or from our infrastructure is encrypted in transit via industry best practices using TLS version 1.2+. You can see our A+ SSLLabs report here.
All our user data is encrypted at rest using the industry-standard AES-256 algorithm. All passwords are hashed with bcrypt. We use a key management service for secure encryption key management.
Business continuity and disaster recovery
Canopy Connect maintains a Business Continuity Policy (BCP) and a Disaster Recovery Policy (DRP). They are both tested yearly across a variety of scenarios to walk through how our business would respond and maintain consistent operations throughout a crisis, and ensure we can maintain service to our clients as effectively as possible.
We keep encrypted backups and we provision our infrastructure using infrastructure-as-code, so we can quickly and reliably recreate new environments in the event of full regional disasters.
Application Security Monitoring
We use a security and compliance monitoring solution to ensure continuous monitoring on our application security, identify problems and respond quickly to a data breach. We monitor exceptions and logs, and detect anomalies in our applications.
Secure Development
We develop our applications following security best practices and frameworks like OWASP Top 10. We use the following best practices to ensure the highest level of security in our software:
- We work with third-party security experts to perform yearly penetration tests of our applications
- We use Static Application Security Testing (SAST) to detect basic security vulnerabilities in our codebase
- Engineers participate in regular security training to keep up to date with common vulnerabilities and threats
- We review our code for security vulnerabilities
- We regularly update our dependencies and make sure none of them have known vulnerabilities
We’re so excited to announce our SOC 2 Type 2 Certification. Keeping data safe is our top priority, and today’s announcement reiterates our commitment to the highest standards of security and compliance using the latest technologies.
Please reach out to us with any questions!