We understand that trusting vendors with your most valuable and highly sensitive data can be daunting. That’s why security, privacy, and compliance are built into the core of the Canto platform. See how.

Security features


  • Strong user authentication using complex passwords for local accounts, and the ability to authenticate via SSO (Single Sign On) and MFA (multi-factor authentication)
  • Granular access controls for customers to enable specific permissions and capabilities
  • Ability to share content externally with others using permanent or temporary links
  • Integrate with your heavily-used services


  • All customer data hosted on AWS in the region you require
  • Network monitoring and protection
  • Application monitoring and protection
  • Encryption in-transit (TLS 1.2, TLS 1.3)
  • Encryption at rest (AES-256)
  • WAF (Web Application Firewall)
  • Regular vulnerability scanning
  • Regular penetration testing
  • Annual DR Testing and Business Continuity Planning
  • Monitoring and alerting processes

Internal Processes

  • Security education and awareness training
  • Regular phishing tests
  • Vendor risk management
  • Asset management and malware protection
  • Access control on all company software
  • Incident Response Process
  • Onboarding and offboarding procedures


  • Annual SOC 2 compliance testing
  • HIPAA compliant
  • GDPR, CCPA, CPA, and ATIPPA in place
  • GDPR deletion
  • Risk management program
  • NIST CSF internal reviews
  • Data privacy and protection
  • Lawful basis processing
  • Consent and cookies

Global leaders trust Canto with their data

Compliance requirements

Canto never treats security lightly. That’s why HIPAA, privacy law compliance, and risk management are built into the platform and internal processes at Canto.

Data Privacy

Canto is committed to privacy on our platform and to our customers. We provide a high standard of privacy protection for all customers.

GDPR, US Privacy Laws, ATIPPA

Canto abides by global Privacy Laws and all US Privacy Laws. All customers can access the information Canto stores about them. Canto will never collect, use, or sell your information without written permission, nor do we contact our users directly.

The following is a list of all Privacy Laws Canto abides by:

  • GDPR
  • All US Privacy Laws, including CCPA and CPA


Canto offers AICPA SOC 2 Type 2 reports annually to our customers with a valid NDA in place. Canto monitors for SOC 2 compliance on a daily basis.

HIPAA Compliance

All data stored in Canto is secured in accordance with the HIPAA Security Rule, and Canto signs BAAs with any clients that will store ePHI in Canto. Additionally, Canto’s internal policies and security program are continuously reviewed to ensure compliance.

HIPAA-compliance is a shared responsibility. Customers must follow industry standards for SaaS tools and enforce organizational policies to meet HIPAA requirements internally.

Risk Management

Canto conducts annual NIST Assessments on our product and internal processes to identify security gaps and improve our security posture.

Physical security

Canto proactively checks AWS reports annually as our main vendor and sub-processor. We ensure due diligence to our critical vendors by constantly reviewing and adapting new AWS mechanisms and ensuring that all AWS documentation and contracts are up to date.

All Canto data resides on AWS regions around the US, EU, and Canada. Currently, data is hosted in the following regions:

  • Ireland
  • Germany
  • US West
  • Canada Central

Access control

Canto has end-to-end access control management to protect both customer data and employees from threats such as access through privileged credentials. We ensure that data access is provided based on the principle of least privilege, that security posture is maintained through regular access reviews, and access is removed after an employee resigns. In addition, the Canto platform provides granular data access to administrators based on roles and responsibilities.

Threat detection, monitoring, and incident response

Canto includes 24x7 platform monitoring to detect and respond to any suspicious activity. Additionally, Canto’s Incident Response Process is heavily integrated into Engineering and DevOps. All suspicious activity is identified, contained, and eradicated, and process improvements are identified and actioned.

Business continuity and disaster recovery

Canto guarantees 99.8% platform availability in addition to maintaining and testing a BCP and DR on our most critical assets. Canto continuously monitors platform availability and employees are trained in recovery procedures. In the event of a disaster, SLAs are in place for each business-critical function.

Organizational security

At Canto, security is a mindset. We provide annual security training about new and existing security risks for all employees and contractors along with quarterly phishing tests. Additionally, our systems provide protection against malware and detect and report on internal threats. We review our security posture annually to determine ways to lower our risk landscape.

Want to see it for yourself?

Book a Canto demo now to see our robust digital asset management platform in action.