Security at Canvas Cloud AI

Last updated: January 2026

Our Commitment to Security

Canvas Cloud AI is built with security as a foundational principle. We design our platform to protect customer data, credentials, and cloud infrastructure while enabling hands-on learning through real deployments.

We follow industry best practices to ensure confidentiality, integrity, and availability across our systems.

Cloud Credential Security

Secure Credential Handling

Customer cloud provider credentials (AWS, Azure, GCP, Oracle Cloud) are:

  • Encrypted using AES-256-GCM — industry-standard authenticated encryption
  • Stored securely at rest — with additional key derivation protections
  • Accessed only when required — to perform authorized deployment operations initiated by the user

Credentials are never exposed to users, logs, or third parties.

No Credential Leakage

  • Credentials are never embedded in generated Terraform code
  • Credentials are never included in exports, logs, or downloadable files
  • All deployment operations use server-side execution with strict access controls

Infrastructure Deployment Safety

Customer-Owned Cloud Accounts

All deployed infrastructure runs entirely within your own cloud provider accounts.

Canvas Cloud AI:

  • Designs and orchestrates deployments
  • Does not host or own your deployed infrastructure
  • Does not retain control after deployment execution

This ensures:

  • Full ownership of resources
  • Full visibility in your cloud console
  • No vendor lock-in

Customers are responsible for configuring, monitoring, and managing resources within their own cloud accounts after deployment.

Encryption & Data Protection

  • Data at rest is encrypted using industry-standard encryption
  • Data in transit is protected using TLS
  • Sensitive secrets are stored separately from application data

Access to production systems is restricted and audited.

User-generated architecture descriptions may be processed by third-party services without personal identifiers.

Least-Privilege & Access Controls

Canvas Cloud AI follows the principle of least privilege:

  • Internal systems and services have only the permissions required to function
  • Deployment actions are scoped to user-authorized operations
  • Administrative access is restricted to essential personnel

Secure Deployment Lifecycle

Learn-and-Destroy Model

Canvas Cloud AI is designed for safe learning:

  • Deploy infrastructure
  • Explore and learn
  • Tear down resources when finished

Our Deletion Manager helps users quickly remove deployed resources to:

  • Reduce risk
  • Avoid unexpected costs
  • Maintain clean cloud environments

Billing & Payment Security

All payments are processed securely via Stripe, a PCI-compliant payment processor.

Canvas Cloud AI:

  • Does not store credit card numbers
  • Does not have access to full payment details
  • Relies on Stripe's secure infrastructure for billing operations

Monitoring & Reliability

We actively monitor our systems to:

  • Detect errors or abnormal behavior
  • Maintain platform availability
  • Respond quickly to operational issues

Backups and redundancy are used where appropriate to support reliability.

Responsible Disclosure

We welcome responsible disclosure of security issues.

If you believe you've discovered a vulnerability, please contact us at:

security@canvascloud.ai

We take security reports seriously and will investigate promptly.

Enterprise & Compliance Readiness

Canvas Cloud AI is built with enterprise requirements in mind. As the platform grows, we plan to continue strengthening our security posture, documentation, and compliance capabilities.

If you have enterprise-specific security questions or requirements, please contact us to discuss further.

Questions?

For additional security or compliance inquiries, please contact:

support@canvascloud.ai