Security Overview

We take responsibility for managing your data securely. Review our data management and data security policies.

Lauren Cumming avatar
Written by Lauren Cumming
Updated over a week ago

Candu is committed to the highest standards of security. We take responsibility for managing your customer data securely.

If you have any questions or want to report any security issue, please contact us at [email protected].

Data management

Learn about how Candu handles personal information and how we delete and export customer data:

Handling personal information

Candu doesn't require any personally identifiable information (PII) to be passed to the service, nor do we actively collect any PII from our customers.

Deleting customer data

We believe customers have the right to be forgotten. In accordance with GDPR, Candu will delete all of your customer data within 30 days of receiving a written request.

Exporting customer data

In accordance with GDPR, Candu will provide an export of customer data in JSON format within 30 days of receiving a written request.

Data security

We follow industry-standard end-to-end encryption methods and use best-in-class vendors for cloud and application security. Each quarter, we review our security practices to keep them up-to-date.

End-to-end encryption

Every aspect of the Candu application is encrypted. Our servers enforce HTTPS protocol by using TSL 1.2. Internally, our servers communicate exclusively using HTTPS.

Our data is stored entirely on AWS services. We encrypt stored data using AES encryption (provided by AWS services). Any server-side secret is stored and accessed via AWS KMS. We rotate sensitive keys and expire critical keys.

All backups are encrypted and stored using AES-256 in secure cloud locations within the EU.

Cloud security

At Candu, we have taken all necessary precautions to maintain our AWS cloud as securely as possible.

  • We mandate strong passwords and 2FA to access our AWS account. Our engineers are granted roles and permissions using a least privilege principle.

  • We use encrypted SSH keys to access our bastion servers. Our servers do not have a public IP unless strictly necessary.

  • Our services also run on a least privilege principle.

  • All data is always stored exclusively within the EU.

  • We have multiple levels of redundancy and backup processes to minimize data loss in case of an attack or system failure.

Application security

Candu account passwords are hashed and salted, and our staff is not able to view or retrieve them. To protect your password, we use a symmetric block cipher (Blowfish) of at least 12 salt rounds. If you lose your password, it cannot be retrieved; it must be reset.

The entire Candu application is encrypted with HTTPS.

Did this answer your question?