Security & Compliance

Enterprise-grade security,
certified and audited

Your attendee data is protected by the same standards used by banks. ISO 27001 certified, GDPR compliant, and built on world-class infrastructure.

Not just compliant -certified

Canapii holds ISO 27001 certification, the international gold standard for information security management. This is not a self-assessment - it is a rigorous, independently audited certification covering every aspect of how we handle your data.

Our Information Security Management System (ISMS) is continuously monitored and re-audited annually. From access controls to incident response, every process is documented, tested, and verified by accredited auditors.

Data protection

Your data, your rules

We treat attendee data with the highest level of care. Every piece of information is encrypted, access-controlled, and handled in full compliance with global data protection regulations.

  • Full GDPR and UK Data Protection Act compliance with data processing agreements
  • PCI-DSS Level 1 compliant payment processing via Stripe
  • Encryption at rest (AES-256) and in transit (TLS 1.2+)
  • Data residency options for EU and APAC regions
  • Configurable data retention and deletion policies
Infrastructure

Built for reliability at scale

Canapii runs on Amazon Web Services using a serverless architecture, hosted in data centres certified to ISO 27001, PCI-DSS, and SOC standards. Our design ensures high availability with redundancy at every layer.

  • AWS serverless with multi-region availability
  • 99.9% platform uptime SLA
  • Automated daily backups with point-in-time recovery
  • Disaster recovery plan with documented RTO and RPO
  • Documented incident response procedure
Access control

The right people, the right access

Canapii provides granular access controls so you can manage exactly who sees what. Every action is logged, every session is managed, and single sign-on keeps authentication simple and secure.

  • Single sign-on (SSO) via SAML 2.0 and OpenID Connect
  • Two-factor authentication (2FA) for all accounts
  • Role-based access control with customisable permissions
  • Full audit logs for all user actions
  • Automatic session timeout and device management
Network security

Proactive threat protection

Our network security practices are designed to identify and neutralise threats before they reach your data. We combine continuous monitoring with regular independent testing.

  • Quarterly penetration testing by independent security firms
  • Continuous vulnerability scanning and threat detection
  • DDoS protection and mitigation
  • Environment segregation between development, staging, and production
Employee security

Security starts with people

Technical controls are only as strong as the people behind them. Every member of the Canapii team follows strict security practices, from onboarding through to day-to-day operations.

  • Least Privilege access - staff only access what they need
  • Mandatory security awareness training for all employees
  • Secure onboarding and offboarding procedures
  • Device security policies and password management standards
  • Non-disclosure agreements for all team members
Certifications & compliance

Verified by independent auditors

ISO 27001

Independently audited and certified to the international standard for information security management.

GDPR & UK DPA

Full compliance with EU and UK data protection regulations, including data processing agreements and privacy by design.

PCI-DSS Level 1

Payment processing handled through Stripe, a PCI-DSS Level 1 certified service provider - the highest level of certification.

Cyber Essentials Plus

UK Government-backed certification demonstrating robust cyber security practices across the organisation.

CyberGRX

Third-party risk assessment validated through the CyberGRX exchange, providing transparency to enterprise customers.

Encryption

All data encrypted at rest (AES-256) and in transit (TLS 1.2+). No unencrypted data leaves our systems.

99.9% uptime

Enterprise-grade SLA backed by redundant infrastructure and proactive monitoring around the clock.

Audit logs

Complete audit trail of all platform activity. Know exactly who did what and when, across every event.

Pen testing

Quarterly penetration tests by independent security firms, with findings remediated on a defined timeline.

Third-party sub-processors

Trusted partners

We only share data with sub-processors that meet our security standards. Each is reviewed and documented in our data processing agreements.

AWS

Cloud infrastructure - EU hosted

Stripe

Payment processing

Zoom

Virtual event streaming

HubSpot

CRM and marketing

Microsoft 365

Productivity and email

Papertrail

Log management - US hosted

Frequently asked questions

Frequently asked questions

Is Canapii ISO 27001 certified?

Yes. Canapii holds ISO 27001 certification, the international gold standard for information security management. It is not a self-assessment - it is independently audited, and our Information Security Management System is continuously monitored and re-audited annually.

Is Canapii GDPR compliant?

Yes. Canapii offers full GDPR and UK Data Protection Act compliance, including data processing agreements and privacy by design. Attendee data is encrypted and access-controlled, with configurable data retention and deletion policies.

Where is event data hosted, and are there data residency options?

Canapii runs on Amazon Web Services using a serverless architecture in data centres certified to ISO 27001, PCI-DSS, and SOC standards. Data residency options are available for the EU and APAC regions.

How is attendee data encrypted?

All data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. No unencrypted data leaves Canapii's systems.

What uptime does Canapii guarantee?

Canapii is backed by a 99.9% platform uptime SLA, supported by redundant AWS infrastructure with multi-region availability, automated daily backups with point-in-time recovery, and a documented disaster recovery plan with defined RTO and RPO.

How are payments and access secured?

Payments are processed through Stripe, a PCI-DSS Level 1 certified provider. Access is protected with single sign-on (SAML 2.0 and OpenID Connect), two-factor authentication, role-based access control, full audit logs, and automatic session timeout. Canapii also holds Cyber Essentials Plus and runs quarterly independent penetration tests.

Talk to us

Questions about security?

Our team is ready to walk you through our security posture, share documentation, and answer any compliance questions your procurement team may have.

Talk to our teamLearn about Canapii