Trust and security

Security and privacy are the product.

Hand us your data knowing exactly how it is hosted, isolated, encrypted, and governed. ISO 27001:2022 certified and trusted by global banks.

Isolated and encrypted, under Singapore jurisdiction.

ISO 27001:2022MAS-alignedAnnual pen testsPer-client isolation
Where your data lives

Hosted in Singapore, encrypted end to end

Canopy runs on hardened cloud infrastructure in Singapore. Your data is encrypted the moment it leaves your hands and stays encrypted at rest, inside a network built to expose as little as possible.

Encrypted in transit

Every connection and data transfer is encrypted as standard over TLS, from a statement upload or a bank feed all the way to the platform.

Encrypted at rest

All stored data is protected with advanced encryption, so it stays unreadable even at the storage layer.

A minimal, guarded perimeter

Traffic enters through a managed firewall with only the necessary ports open and optional IP whitelisting. Everything else sits inside a private internal network.

Illustrative
Isolation and privacy

Your data, walled off and private

Confidentiality is not a setting you switch on. It is how the platform is built and how the company behaves.

Per-client database isolation

Each client's data sits in its own isolated, encrypted database, so one client's information is never commingled with another's.

Role-based access

A strict account and role-based access model means people see only what their role allows, on the principle of least privilege.

We never disclose our clients

Family offices and banks are private by nature. We never name who our clients are, and we never disclose portfolios or holdings.

Your data is not training data

We never use your data to train shared AI models. AI is opt-in, and it runs against your isolated data only.

Retention on your terms

Data retention, backup, and deletion follow documented policies, so information is kept only as long as it should be.

Singapore jurisdiction

Your data is held and governed under Singapore law, aligned with the MAS expectations of the institutions we serve.

The security framework

A documented program, not good intentions

Our security policies and procedures are organized into eight areas covering people, systems, data, and operations. Every employee, contractor, and vendor works to the same standards.

Access and usage

Acceptable use, access control, BYOD, and password protection.

Data protection

Retention, backup and recovery, encryption, and information labeling.

Incident and risk

Incident management, disaster recovery, risk methodology, and corrective action.

Security operations

Antivirus and patch management, logging and monitoring, and network security.

Compliance and audit

Compliance policy, internal audit, and supplier relationship management.

Development and change

Secure development practices and controlled change management.

Physical and environmental

Securing facilities against physical and environmental threats.

Communication and training

Security awareness, training, and human capital security.

Testing and assurance

Checked by outsiders, every year

We do not grade our own homework. Independent experts and our banking partners test us on a regular cycle.

Annual penetration testing

Independent third-party penetration tests every year find and close vulnerabilities before they can be exploited.

Independent assessments

External specialists run API security and vulnerability assessments, on top of our own internal audit program.

ISO 27001:2022 certification

Certified against the international standard for information security management, with ongoing surveillance audits.

The trust from banks

Audited by the banks themselves

Global banks audit Canopy before they connect, and re-audit us every year. We consistently pass, which is why bank data feeds flow into Canopy from institutions around the world.

100+
Direct bank feeds worldwide
Annual
Bank audits passed
250+
Custodians connected
9 yrs
In production

Our ISO certificate, penetration test summaries, and the full set of security policies and procedures are available to qualified prospects under NDA during due diligence.

FAQ

Security questions, answered

Where is our data hosted?

Canopy runs on hardened cloud infrastructure in Singapore. Your data is held and governed under Singapore law, aligned with the MAS expectations of the institutions we serve.

Is our data isolated from other clients?

Yes. Each client's data sits in its own isolated, encrypted database. One client's information is never commingled with another's, and access is governed by a strict account and role-based model.

Is the data encrypted?

Yes. All data transfers are encrypted as standard over TLS, and all stored data is protected with advanced encryption at rest, so it stays unreadable even at the storage layer.

Are you certified, and by whom?

Canopy is ISO 27001:2022 certified, the international standard for information security management, with ongoing surveillance audits. We are also aligned with Singapore MAS expectations.

Do you run penetration tests?

Yes. Independent third-party penetration tests are conducted every year, alongside external API and vulnerability assessments and our own internal audit program, so issues are found and closed proactively.

Do you use our data to train AI?

No. We never use your data to train shared AI models. AI is opt-in, and it runs against your own isolated data only.

Can we review your security reports before signing?

Yes. Our ISO certificate, penetration test summaries, and the full set of security policies and procedures are available to qualified prospects under NDA during due diligence.

What happens in a security incident or outage?

We maintain documented incident management and disaster recovery procedures, with logging and monitoring to detect anomalies and tested recovery plans to restore service and protect data.

Get started

Send this to your security team

We will walk your IT, risk, and compliance teams through hosting, isolation, and our controls, and share documentation under NDA.