1. Data and Privacy.
1.1 Customer Data Policies
- Canopy Management has approved all policies that detail how customer data may be made accessible and should be handled. These policies are accessible to all employees and contractors.
- Canopy authorizes access to information resources, including data and the systems that store or process customer data, based on the principle of least privilege.
1.2 Internal Admin Tool
- Canopy uses encryption to protect user authentication and admin sessions of the internal admin tool transmitted over the Internet.
2. Internal Security Procedures.
2.1 Software Development Life Cycle
- Canopy uses a version control system to manage source code, documentation, release labeling, and other change management tasks. Access to the system must be approved by a system admin.
- When Canopy's application code changes, code reviews and tests are performed by someone other than the person who made the code change.
- Only authorized Canopy personnel can push or make changes to production code.
- Separate environments are used for testing and production for Canopy's application.
2.2 Responsible Disclosure Policy
- Canopy provides a process to employees for reporting security, confidentiality, integrity, and availability features, incidents, and concerns, and other complaints to company management.
- Canopy provides a process to external users for reporting security, confidentiality, integrity, and availability failures, incidents, concerns, and other complaints.
2.3 Access Control
- Canopy has a defined System Access Control Policy that requires annual access control reviews to be conducted and access request forms be filled out for new hires and employee transfers.
- Canopy performs annual access control reviews.
- Hardening standards are in place to ensure that newly deployed server instances are appropriately secured.
2.4 Vulnerability Management
- Canopy maintains an accurate network diagram that is accessible to the engineering team and is reviewed by management on an annual basis.
- Canopy conducts a Risk Assessment at least annually.
- Canopy engages with third-party to conduct vulnerability scans of the production environment at least quarterly. Results are reviewed by management and high priority findings are tracked to resolution.
- Canopy engages with third-party to conduct penetration tests of the production environment at least annually. Results are reviewed by management and high priority findings are tracked to resolution.
- Canopy reviews its organizational structure, reporting lines, authorities, and responsibilities in terms of information security on an annual basis.
- Canopy has a defined Information Security Policy that covers policies and procedures to support the functioning of internal control.
- Canopy identifies, inventories, classifies, and assigns owners to IT assets.
- Canopy maintains an accurate architecture diagram to document system boundaries to support the functioning of internal control.
- Canopy has defined a formal risk management process that specifies risk tolerances and the process for evaluating risks based on identified threats and the specified tolerances.
- Canopy's Management prepares a remediation plan to formally manage the resolution of findings identified in risk assessment activities.
2.5 Security Issues
- Canopy tracks security deficiencies through internal tools and closes them within an SLA that management has pre-specified.
- Canopy tracks and prioritizes security deficiencies through internal tools according to their severity by an independent technical resource.
- Canopy conducts continuous monitoring of security controls using Drata, and addresses issues in a timely manner.
2.6 Business Continuity
- Canopy has an established Disaster Recovery Plan that outlines roles and responsibilities and detailed procedures for recovery of systems.
- Canopy conducts annual BCP/DR tests and documents according to the BCDR Plan.
- Canopy utilizes multiple availability zones to replicate production data across different zones.
2.7 Incident Response Plan
- Canopy has implemented an Incident Response Plan that includes creating, prioritizing, assigning, and tracking follow-ups to completion and lend support to Business Continuity/Disaster Recovery.
- Canopy has identified an incident response team that quantifies and monitors incidents involving security, availability, processing integrity, and confidentiality at the company.
- Canopy has implemented an Incident Response Plan that includes documenting “Lessons Learned” and "Root Cause Analysis" after incidents and sharing them with the broader engineering team to support Business Continuity/Disaster Recovery.
- Canopy has an established Incident Response Plan that outlines management responsibilities and procedures to ensure a quick, effective, and orderly response to information security incidents and annual testing.
3. Organizational Security.
3.1 Security Policies
- Company policies are accessible to all employees and, as appropriate, third parties. Personnel are required to acknowledge the information security policy and other topic-specific policies based on their job duties during onboarding and annually thereafter.
- Management reviews security policies on an annual basis.
- Canopy has developed policies and procedures governing the system development life cycle, including documented policies for tracking, testing, approving, and validating changes.
3.2 Security Program
- Canopy has an assigned security team that is responsible for the design, implementation, management, and review of the organization's security policies, standards, baselines, procedures, and guidelines.
- Canopy has established training programs for privacy and information security to help employees understand their obligations and responsibilities to comply with Canopy's security policies and procedures, including the identification and reporting of incidents. All full-time employees are required to complete the training upon hire and annually thereafter.
- The security team communicates important information security events to company management in a timely manner.
3.3 Personnel Security
- Canopy uses a termination checklist to ensure that an employee's system access, including physical access, is removed within a specified timeframe and all organization assets (physical or electronic) are properly returned.
- Canopy has policies and procedures in place to establish acceptable use of information assets approved by management, posted on the company wiki, and accessible to all employees. All employees must acknowledge the Acceptable Use Policy upon hire.
- Canopy new hires are required to pass a background check as a condition of their employment.
- Canopy requires its contractors to read and acknowledge the Code of Conduct, read and acknowledge the Acceptable Use Policy, and pass a background check.
- Canopy has a formal Code of Conduct approved by management and accessible to all employees. All employees must acknowledge the Code of Conduct upon hire.
- Canopy has established a Data Protection Policy and requires all employees to acknowledge it upon hire. Management monitors employees' acceptance of the policy.
- Members of the Board of Directors are independent of management.
- Management has established defined roles and responsibilities to oversee implementation of the information security policy across the organization.
- Canopy evaluates the performance of all employees through a formal, annual performance evaluation.
- Canopy new hires and/or internal transfers are required to go through an official recruiting process during which their qualifications and experience are screened to ensure that they are competent and capable of fulfilling their responsibilities.
- All Canopy positions have a detailed job description that lists qualifications, such as requisite skills and experience, which candidates must meet in order to be hired by Canopy.
3.4 Endpoints Laptops
- Canopy ensures that a password manager is installed on all company-issued laptops.
- Canopy ensures that company-issued laptops have encrypted hard-disks.
- Canopy ensures that all company-issued computers use a screensaver lock with a timeout of no more than 15 minutes.
- Canopy requires antivirus software to be installed on workstations to protect the network against malware.
- Canopy's workstations operating system (OS) security patches are applied automatically.
4. Product Security.
4.1 Data Encryption
- Canopy ensures that all connections to its web application from its users are encrypted.
- Canopy has an established policy and procedures that governs the use of cryptographic controls.
- Canopy stores customer data in databases that is encrypted at rest.
4.2 Vendor Management
- Canopy maintains a directory of its key vendors, including its agreements that specify terms, conditions and responsibilities.
- Canopy maintains a directory of its key vendors, including their compliance reports. Critical vendor compliance reports are reviewed annually.
4.3 Software Application Security
- Username and password (password standard implemented) or SSO required to authenticate into application, MFA optional for external users, and MFA required for employee users.
- Role-based security is in place for internal and external users, including super admin users.
- Canopy customer data is segregated from the data of other customers.
- Canopy's application user passwords are stored using a salted password hash.
- External users must accept the Terms of Service prior to their account being created.
- Canopy automatically logs users out after a predefined inactivity interval and/or closure of the internet browser, and requires users to reauthenticate.
4.4 Customer Communication
- Canopy's security commitments are communicated to external users, as appropriate.
- Canopy maintains a Privacy Policy that is available to all external users and internal employees, and it details the company's confidentiality and privacy commitments.
- Canopy maintains a Terms of Service that is available to all external users and internal employees, and the terms detail the company's security and availability commitments regarding the systems. Client Agreements or Master Service Agreements are in place for when the Terms of Service may not apply.
5. Infrastructure Security.
5.1 Authentication and Authorization
- Canopy requires two factor authentication to access sensitive systems and applications in the form of user ID, password, OTP and/or certificate.
- Canopy has established formal guidelines for passwords to govern the management and use of authentication mechanisms.
- Access to corporate network, production machines, network devices, and support tools requires a unique ID.
- Access to infrastructure and code review tools is removed from terminated employees within one business day.
- SSH users use unique accounts to access production machines. Additionally, the use of the “Root” account is not allowed.
- No public SSH is allowed.
5.2 Availability
- Canopy communicates system changes to customers that may affect security, availability, processing integrity, or confidentiality.
5.3 Storage
- Read/Write access to cloud data storage is configured to restrict public access.
5.4 Backup
- Canopy performs backups daily and retains them in accordance with a predefined schedule in the Backup Policy.
5.5 Logging
- Canopy uses a system that collects and stores server logs in a central location. The system can be queried in an ad hoc fashion by authorized users.
- Canopy uses logging software that sends alerts to appropriate personnel. Corrective actions are performed, as necessary, in a timely manner.
5.6 Network
- Canopy cloud infrastructure is monitored through an operational audit system that sends alerts to appropriate personnel.
- Users can only access the production system remotely through the use of encrypted communication systems.
- Canopy uses configurations that ensure only approved networking ports and protocols are implemented, including firewalls.
- WAF in place to protect Canopy's application from outside threats.
- An intrusion detection system (IDS) is in place to detect potential intrusions, alert personnel when a potential intrusion is detected.
- Canopy has infrastructure logging configured to monitor web traffic and suspicious activity. When anomalous traffic activity is identified, alerts are automatically created, sent to appropriate personnel and resolved, as necessary.
- Canopy is using Drata to monitor the security and compliance of its cloud infrastructure configuration.
- Canopy does not use Root Account on Infrastructure provider.
5.7 Protecting Secrets
- Canopy has an established key management process in place to support the organization's use of cryptographic techniques.
6. Physical Security.
6.1 Data Center Security
- Canopy has security policies that have been approved by management and detail how physical security for the company's headquarters is maintained. These policies are accessible to all employees and contractors.
7. Confidentiality.
7.1 Data
- Canopy has a documented policy for data retention defining the types of data (including company and customer data) and the period of time for which they should be retained.
- Canopy has established a data classification policy in order to identify the types of confidential information possessed by the entity and types of protection that are required.
7.2 Employee Responsibilities
- Canopy new hire contracts include a non-disclosure agreement (NDA)
- Canopy has formal policies and procedures in place to guide personnel in the disposal of hardware containing sensitive data.
8. Privacy.
8.1 Communication of Objectives Related to Privacy Practices
- Canopy management reviews the privacy notice to ensure that the privacy notice is accurate.
- Canopy communicates its Privacy Policy on its public-facing website.
- Canopy's Privacy Policy includes: 1) Purpose for collecting personal information, 2) Choice and consent, 3) Types of personal information collected, 4) Methods of collection (for example, use of cookies or other tracking techniques), 5) Use, retention, and disposal, 6) Access, 7) Disclosure to third parties, 8) Security for privacy, 9) Quality, including data subjects' responsibilities for quality, 10) Monitoring and enforcement
8.2 Privacy Related to Collection
- Canopy's management confirms that third parties from whom personal information is collected (that is, sources other than the individual) are reliable sources that collect information fairly and lawfully.
8.3 Privacy Related to Use Retention and Disposal
- Canopy only uses personal information for the purposes identified in the entity's privacy policy.
- Canopy captures requests for deletion of personal information and information related to the requests is appropriately deleted.
- Users accessing their personal information through Canopy's application must be authenticated with a username and password.
8.4 Privacy Criteria Related to Access
- Users can access all of their personal information through the application by navigating to their settings and profile.
- Users can correct, amend, or append their personal information by logging into the application and navigating to their settings and profile.
8.5 Privacy Criteria Related to Disclosure and Notification
- Canopy maintains a documented list of third parties and vendors that are authorized to receive or access PII.
- Canopy tracks and logs breaches involving unauthorized uses and disclosures of personal information in an incident tracking system.
- Canopy ensures that vendors and third parties with access to protected health information (PHI) are required to sign a Business Associate Agreement (BAA) on an annual basis.
- Canopy requires vendors and third parties with access to personal information to sign a formal contract that requires them to notify Canopy in the event of actual or suspected unauthorized disclosures of personal information.
- Canopy has a process for providing notice of breaches and incidents to affected data subjects to meet Canopy's objectives related to privacy.
- Canopy's privacy practices posted on their website include the list of third parties authorized to receive personal information.
8.6 Privacy Related to Monitoring and Enforcement
- Executive management meets on a quarterly basis to review compliance with privacy practices and privacy regulations.
9. Additional Controls.
- Canopy ensures that incident response plan testing is performed on an annual basis.
- The company's board of directors has a documented charter that outlines its oversight responsibilities for internal control.
- The company's board members have sufficient expertise to oversee management's ability to design, implement and operate information security controls. The board engages third-party information security experts and consultants as needed.
- The company's board of directors meets at least annually and maintains formal meeting minutes. The board includes directors that are independent of the company.
- The company's board of directors or a relevant subcommittee is briefed by senior management at least annually on the state of the company's cybersecurity and privacy risk. The board provides feedback and direction to management as needed.
- Canopy ensures that code changes are tested prior to deployment to ensure quality and security.
- Canopy performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings.
- Canopy maintains cybersecurity insurance to mitigate the financial impact of business disruptions.
- Canopy uses DLP (Data Loss Prevention) software to prevent unencrypted sensitive information from being transmitted over email
- Canopy ensures that file integrity monitoring (FIM) software is in place to detect whether operating system and application software files have been tampered with.
- Canopy has security policies that have been approved by management and detail how physical access to the company's headquarters is maintained. These policies are accessible to all employees and contractors.
- Canopy ensures that releases are approved by appropriate members of management prior to production release.
- Canopy ensures that company-issued removable media devices (USB drives) are encrypted.
- Canopy ensures that virtual machine OS patches are applied monthly.