Candu is committed to the highest standards of security. We take responsibility for managing your customer data securely.

If you have any questions or want to report any security issues, please contact us at [email protected].

Learn about how Candu handles personal information and how we delete and export customer data:

Candu doesn't require any personally identifiable information (PII) to be passed to the service, nor do we actively collect any PII from our customers.

We believe customers have the right to be forgotten. By GDPR, Candu will delete all of your customer data within 30 days of receiving a written request.

In accordance with GDPR, Candu will export customer data in JSON format within 30 days of receiving a written request.

We follow industry-standard end-to-end encryption methods and use best-in-class vendors for cloud and application security. We review our security practices each quarter to ensure they are up to date.

Every aspect of the Candu application is encrypted. Our servers enforce HTTPS protocol by using TSL 1.2. Internally, our servers communicate exclusively using HTTPS.

Our data is stored entirely on AWS services. We encrypt stored data using AES encryption (provided by AWS services). Any server-side secret is stored and accessed via AWS KMS. We rotate sensitive keys and expire critical keys.

All backups are encrypted and stored using AES-256 in secure cloud locations within the EU.

At Candu, we have taken all necessary precautions to maintain our AWS cloud as securely as possible.

Candu account passwords are hashed and salted; our staff cannot view or retrieve them. We use a symmetric block cipher (Blowfish) of at least 12 salt rounds to protect your password. If you lose your password, it cannot be retrieved; it must be reset.

The entire Candu application is encrypted with HTTPS.