Data security policy

At Candu, we take data security seriously. We follow industry standard encryption methods, and use best-in-class vendors. Each quarter, we review our security practices to keep them up-to-date.

End-to-end encryption

Every aspect of Candu's application is encrypted. Our servers enforce HTTPS protocol using TSL 1.2. Internally, our servers communicate exclusively using HTTPS.

Our data is stored entirely on AWS services. We encrypt any stored data using AES encryption (provided by AWS services). Any server-side secret is stored and accessed via AWS KMS. We rotate sensitive keys and expire critical keys.

All backups are encrypted and stored using AES-256 in secure cloud locations within the EU.

Cloud security

At Candu, we have taken all necessary precautions to maintain our AWS cloud as securely as possible.

We mandate strong passwords and 2FA to access our AWS account. Our engineer are granted roles and permissions on a least privilege principle.

We use encrypted SSH keys to access our bastion servers. Our servers do not have a public IP unless strictly necessary.

Our services also run on a least privilege principle.

All data is always stored exclusively within the EU.

We have multiple levels of back up processes to minimize data loss in case of an attack or system failure.

Application security

Candu account passwords are hashed and salted, and our staff is not able to view or retrieve them. To protect your password, we use a symmetric block cipher (Blowfish) with at least 12 salt rounds. If you lose your password, it cannot be retrieved; it must be reset.

The entire Candu application is encrypted with HTTPS.

Where possible, we rely on well-established open source software to avoid any potential for malware. We use third-party tools to check for open source vulnerabilities.

We routinely upgrade all medium-risk vulnerabilities and upgrade them within 180 days of discovery. High-risk vulnerabilities are addressed within 90 days.

We upgrade and patch software dependency every 14 days.