At Canua we take the security and privacy of your data very seriously. We don't take this stuff lightly. We know that you're putting a lot of trust and faith in us by connecting your accounts, assets, and liabilities to Canua and it's our job to protect that data with the utmost care and respect.

In this article, we'll go through how we think about keeping your data secure and what we do and don't have access to. As always, if you have further questions, please don't hesitate to reach out via the messenger at the bottom of the page or via email at contact@canua.com.

Canua only has access to the data that you explicitly connect or add to the app. We don't currently run any sort of external checks or data enrichment to pull in extra data about you or your accounts.

When you connect data to Canua we have "read-only" access to that data. Meaning that you're giving us permission to see your data but not to move your money or make any changes to the accounts that you connect.

We're in the business of providing a service to our customers and charging a fair price for that service. We don't sell your data and don't ever plan on doing so in the future. In fact, we explicitly designed the company around a subscription model so that we wouldn't have to sell your data to 3rd parties (e.g. credit card companies) like other services out there (Yes, I'm looking at you Mint. 🤨).

A good rule of thumb to remember: If you're not paying for a product or service then you're not the customer; you're the product being sold somewhere else.

There are several ways that we work to keep the data you connected to Canua safe. For security reasons, we won't go into detail on everything that we do (better to keep the bad guys guessing), but this high-level overview should give you a good idea of how serious we are about security.

When your data travels between our servers and your browser it is encrypted with transport layer security (TLS) technology. This makes it extremely difficult for hackers to get between us and figure out what is being sent.

This is a standard feature of the modern internet. In other words, it's not that special or hard to do so if you see a service that only offers this level of encryption, you should know that it's not much.

When your data is sitting in our database it is also encrypted using the AES-256 encryption algorithm. This is a very secure way of encrypting data; in fact, it would take billions of years to crack using current computing technology.

Our entire database is encrypted at rest. This means that even if a hacker got access to the database, they wouldn't be able to read the contents without the key.

In addition to encrypting our entire database, we also encrypt specific pieces of sensitive data with a separate encryption key. This is akin to locking that data inside a safe that itself is locked inside a larger safe. In this way, even if a hacker got access to the key and could read our main database, they would run into data encrypted with a different key within the database, making those sensitive fields look like gibberish to them.

We will never ask you for non-public information about your accounts via email or messenger. The only time you will need to use your account details is when you're connecting your accounts to Canua. This process is handled securely by Plaid (for US and Canadian accounts) and Yapily (for UK and EU accounts). You can find out more about how we connect to your accounts here.

Most successful hacks these days are not a result of hackers breaking algorithms but a result of hackers tricking humans. Social engineering attacks are "the psychological manipulation of people into performing actions or divulging confidential information". Phishing is an example of a social engineering attack. Here are a few tips that can help you keep your data safe, both on Canua and more generally.