Encrypted in transit
Every connection and data transfer is encrypted as standard over TLS, from a statement upload or a bank feed all the way to the platform.
Hand us your data knowing exactly how it is hosted, isolated, encrypted, and governed. ISO 27001:2022 certified and trusted by global banks.
Isolated and encrypted, under Singapore jurisdiction.
Canopy runs on hardened cloud infrastructure in Singapore. Your data is encrypted the moment it leaves your hands and stays encrypted at rest, inside a network built to expose as little as possible.
Every connection and data transfer is encrypted as standard over TLS, from a statement upload or a bank feed all the way to the platform.
All stored data is protected with advanced encryption, so it stays unreadable even at the storage layer.
Traffic enters through a managed firewall with only the necessary ports open and optional IP whitelisting. Everything else sits inside a private internal network.
IllustrativeConfidentiality is not a setting you switch on. It is how the platform is built and how the company behaves.
Each client's data sits in its own isolated, encrypted database, so one client's information is never commingled with another's.
A strict account and role-based access model means people see only what their role allows, on the principle of least privilege.
Family offices and banks are private by nature. We never name who our clients are, and we never disclose portfolios or holdings.
We never use your data to train shared AI models. AI is opt-in, and it runs against your isolated data only.
Data retention, backup, and deletion follow documented policies, so information is kept only as long as it should be.
Your data is held and governed under Singapore law, aligned with the MAS expectations of the institutions we serve.
Our security policies and procedures are organized into eight areas covering people, systems, data, and operations. Every employee, contractor, and vendor works to the same standards.
Acceptable use, access control, BYOD, and password protection.
Retention, backup and recovery, encryption, and information labeling.
Incident management, disaster recovery, risk methodology, and corrective action.
Antivirus and patch management, logging and monitoring, and network security.
Compliance policy, internal audit, and supplier relationship management.
Secure development practices and controlled change management.
Securing facilities against physical and environmental threats.
Security awareness, training, and human capital security.
We do not grade our own homework. Independent experts and our banking partners test us on a regular cycle.
Independent third-party penetration tests every year find and close vulnerabilities before they can be exploited.
External specialists run API security and vulnerability assessments, on top of our own internal audit program.
Certified against the international standard for information security management, with ongoing surveillance audits.
Global banks audit Canopy before they connect, and re-audit us every year. We consistently pass, which is why bank data feeds flow into Canopy from institutions around the world.
Our ISO certificate, penetration test summaries, and the full set of security policies and procedures are available to qualified prospects under NDA during due diligence.
Canopy runs on hardened cloud infrastructure in Singapore. Your data is held and governed under Singapore law, aligned with the MAS expectations of the institutions we serve.
Yes. Each client's data sits in its own isolated, encrypted database. One client's information is never commingled with another's, and access is governed by a strict account and role-based model.
Yes. All data transfers are encrypted as standard over TLS, and all stored data is protected with advanced encryption at rest, so it stays unreadable even at the storage layer.
Canopy is ISO 27001:2022 certified, the international standard for information security management, with ongoing surveillance audits. We are also aligned with Singapore MAS expectations.
Yes. Independent third-party penetration tests are conducted every year, alongside external API and vulnerability assessments and our own internal audit program, so issues are found and closed proactively.
No. We never use your data to train shared AI models. AI is opt-in, and it runs against your own isolated data only.
Yes. Our ISO certificate, penetration test summaries, and the full set of security policies and procedures are available to qualified prospects under NDA during due diligence.
We maintain documented incident management and disaster recovery procedures, with logging and monitoring to detect anomalies and tested recovery plans to restore service and protect data.
We will walk your IT, risk, and compliance teams through hosting, isolation, and our controls, and share documentation under NDA.