We understand that trusting vendors with your most valuable and highly sensitive data can be daunting. That’s why security, privacy, and compliance are built into the core of the Canto platform. See how.

Security features


  • Strong user authentication using complex passwords for local accounts, and the ability to authenticate via SSO (Single Sign On) and MFA (multi-factor authentication)
  • Granular access controls for customers to enable specific permissions and capabilities
  • Ability to share content externally with others using permanent or temporary links
  • Integrate with your heavily-used services


  • All customer data hosted on AWS in the region you require
  • Network monitoring and protection
  • Application monitoring and protection
  • Encryption in-transit (TLS 1.2, TLS 1.3)
  • Encryption at rest (AES-256)
  • WAF (Web Application Firewall)
  • Regular vulnerability scanning
  • Regular penetration testing
  • Annual DR Testing and Business Continuity Planning
  • Monitoring and alerting processes

Internal Processes

  • Security education and awareness training
  • Regular phishing tests
  • Vendor risk management
  • Asset management and malware protection
  • Access control on all company software
  • Incident Response Process
  • Onboarding and offboarding procedures


  • Annual SOC 2 compliance testing
  • HIPAA compliant
  • GDPR, CCPA, CPA, and ATIPPA in place
  • GDPR deletion
  • Risk management program
  • NIST CSF internal reviews
  • Data privacy and protection
  • Lawful basis processing
  • Consent and cookies

Global leaders trust Canto with their data

NIHGolden 1 Credit UnionCiscoAlzheimers AssociationIngram Micro

Compliance requirements

Canto never treats security lightly. That’s why HIPAA, privacy law compliance, and risk management are built into the platform and internal processes at Canto.

Data Privacy

Canto is committed to privacy on our platform and to our customers. We provide a high standard of privacy protection for all customers.

GDPR, US Privacy Laws, ATIPPA

Canto abides by global Privacy Laws and all US Privacy Laws. All customers can access the information Canto stores about them. Canto will never collect, use, or sell your information without written permission, nor do we contact our users directly.

The following is a list of all Privacy Laws Canto abides by:

  • GDPR
  • All US Privacy Laws, including CCPA and CPA


Canto offers AICPA SOC 2 Type 2 reports annually to our customers with a valid NDA in place. Canto monitors for SOC 2 compliance on a daily basis.

HIPAA Compliance

All data stored in Canto is secured in accordance with the HIPAA Security Rule, and Canto signs BAAs with any clients that will store ePHI in Canto. Additionally, Canto’s internal policies and security program are continuously reviewed to ensure compliance.

HIPAA-compliance is a shared responsibility. Customers must follow industry standards for SaaS tools and enforce organizational policies to meet HIPAA requirements internally.

Risk Management

Canto conducts annual NIST Assessments on our product and internal processes to identify security gaps and improve our security posture.

A laptop showing the user interface of the Canto DAM system overlaid by a AWS logo with orange elements displayed behind the laptop.

Physical security

Canto proactively checks AWS reports annually as our main vendor and sub-processor. We ensure due diligence to our critical vendors by constantly reviewing and adapting new AWS mechanisms and ensuring that all AWS documentation and contracts are up to date.

All Canto data resides on AWS regions around the US, EU, and Canada. Currently, data is hosted in the following regions:

  • Ireland
  • Germany
  • US West
  • Canada Central
Simplified depiction of the user interface for various user roles and user role rights management in the Canto DAM. Three icons are displayed at the top right and top left sides of the interface to show three different user roles for Canto DAM. All on top of green elements.

Access control

Canto has end-to-end access control management to protect both customer data and employees from threats such as access through privileged credentials. We ensure that data access is provided based on the principle of least privilege, that security posture is maintained through regular access reviews, and access is removed after an employee resigns. In addition, the Canto platform provides granular data access to administrators based on roles and responsibilities.

A laptop showing the Canto interface with images displayed in the library of various individuals. Behind the laptop to the right is an abstract digital illustration in blue and orange with a small blue clock, orange shield, and deep blue checkmark next to four white lines toggled at various intervals illustrating security detection. Also, blue circle elements underneath the laptop.

Threat detection, monitoring, and incident response

Canto includes 24x7 platform monitoring to detect and respond to any suspicious activity. Additionally, Canto’s Incident Response Process is heavily integrated into Engineering and DevOps. All suspicious activity is identified, contained, and eradicated, and process improvements are identified and actioned.

Graphic illustrating the four phases of business continuity. Starting at the top left, a magnifying glass icon in dark red with an arrow pointing and curving up and to the right. On the top is a stopwatch icon in blue with an arrow pointing and curving down and to the right. At the right side is a workflow diagram icon in light red with an arrow pointing and curving down. On the bottom right side is a blue gear icon with a wrench inside the gear and an arrow pointing and curving down and to the left. At the bottom left is a desktop monitor with abstract icons in different colors and a woman next to the monitor working on her laptop. Also, there are small red dot elements on top left and lower right corners surrounding the graphic.

Business continuity and disaster recovery

Canto guarantees 99.8% platform availability in addition to maintaining and testing a BCP and DR on our most critical assets. Canto continuously monitors platform availability and employees are trained in recovery procedures. In the event of a disaster, SLAs are in place for each business-critical function.

An illustration in green of an eye open inside of a green circle with blue transparent elements. An individual is placing a large lock next to the eye on the top right side. There is a green cloud hanging over the eye. There is also a green shield with a checkmark in lower right corner next to the eye. There are also small boxes on curved lines surrounding the eye, and in the lower left is a green tower full of servers. There are green plus elements in the lower left and top right surrounding the graphic.

Organizational security

At Canto, security is a mindset. We provide annual security training about new and existing security risks for all employees and contractors along with quarterly phishing tests. Additionally, our systems provide protection against malware and detect and report on internal threats. We review our security posture annually to determine ways to lower our risk landscape.

Want to see it for yourself?

Book a Canto demo now to see our robust digital asset management platform in action.

Book a Demo