We understand that trusting vendors with your most valuable and highly sensitive data can be daunting. That’s why security, privacy, and compliance are built into the core of the Canto platform. See how.
Canto never treats security lightly. That’s why HIPAA, privacy law compliance, and risk management are built into the platform and internal processes at Canto.
Canto is committed to privacy on our platform and to our customers. We provide a high standard of privacy protection for all customers.
Canto abides by global Privacy Laws and all US Privacy Laws. All customers can access the information Canto stores about them. Canto will never collect, use, or sell your information without written permission, nor do we contact our users directly.
The following is a list of all Privacy Laws Canto abides by:
Canto offers AICPA SOC 2 Type 2 reports annually to our customers with a valid NDA in place. Canto monitors for SOC 2 compliance on a daily basis.
All data stored in Canto is secured in accordance with the HIPAA Security Rule, and Canto signs BAAs with any clients that will store ePHI in Canto. Additionally, Canto’s internal policies and security program are continuously reviewed to ensure compliance.
HIPAA-compliance is a shared responsibility. Customers must follow industry standards for SaaS tools and enforce organizational policies to meet HIPAA requirements internally.
Canto conducts annual NIST Assessments on our product and internal processes to identify security gaps and improve our security posture.
Canto proactively checks AWS reports annually as our main vendor and sub-processor. We ensure due diligence to our critical vendors by constantly reviewing and adapting new AWS mechanisms and ensuring that all AWS documentation and contracts are up to date.
All Canto data resides on AWS regions around the US, EU, and Canada. Currently, data is hosted in the following regions:
Canto has end-to-end access control management to protect both customer data and employees from threats such as access through privileged credentials. We ensure that data access is provided based on the principle of least privilege, that security posture is maintained through regular access reviews, and access is removed after an employee resigns. In addition, the Canto platform provides granular data access to administrators based on roles and responsibilities.
Canto includes 24x7 platform monitoring to detect and respond to any suspicious activity. Additionally, Canto’s Incident Response Process is heavily integrated into Engineering and DevOps. All suspicious activity is identified, contained, and eradicated, and process improvements are identified and actioned.
Canto guarantees 99.8% platform availability in addition to maintaining and testing a BCP and DR on our most critical assets. Canto continuously monitors platform availability and employees are trained in recovery procedures. In the event of a disaster, SLAs are in place for each business-critical function.
At Canto, security is a mindset. We provide annual security training about new and existing security risks for all employees and contractors along with quarterly phishing tests. Additionally, our systems provide protection against malware and detect and report on internal threats. We review our security posture annually to determine ways to lower our risk landscape.