At Canua we take the security and privacy of your data very seriously. We don't take this stuff lightly. We know that you're putting a lot of trust and faith in us by connecting your accounts, assets, and liabilities to Canua and it's our job to protect that data with the utmost care and respect.
In this article, we'll go through how we think about keeping your data secure and what we do and don't have access to. As always, if you have further questions, please don't hesitate to reach out via the messenger at the bottom of the page or via email at firstname.lastname@example.org.
What data does Canua have access to?
Canua only has access to the data that you explicitly connect or add to the app. We don't currently run any sort of external checks or data enrichment to pull in extra data about you or your accounts.
When you connect data to Canua we have "read-only" access to that data. Meaning that you're giving us permission to see your data but not to move your money or make any changes to the accounts that you connect.
We don't sell your data
We're in the business of providing a service to our customers and charging a fair price for that service. We don't sell your data and don't ever plan on doing so in the future. In fact, we explicitly designed the company around a subscription model so that we wouldn't have to sell your data to 3rd parties (e.g. credit card companies) like other services out there (Yes, I'm looking at you Mint. 🤨).
A good rule of thumb to remember: If you're not paying for a product or service then you're not the customer; you're the product being sold somewhere else.
What we do to keep your data safe
There are several ways that we work to keep the data you connected to Canua safe. For security reasons, we won't go into detail on everything that we do (better to keep the bad guys guessing), but this high-level overview should give you a good idea of how serious we are about security.
Encryption in transit
When your data travels between our servers and your browser it is encrypted with transport layer security (TLS) technology. This makes it extremely difficult for hackers to get between us and figure out what is being sent.
This is a standard feature of the modern internet. In other words, it's not that special or hard to do so if you see a service that only offers this level of encryption, you should know that it's not much.
Encryption at rest
When your data is sitting in our database it is also encrypted using the AES-256 encryption algorithm. This is a very secure way of encrypting data; in fact, it would take billions of years to crack using current computing technology.
Our entire database is encrypted at rest. This means that even if a hacker got access to the database, they wouldn't be able to read the contents without the key.
Encryption of sensitive fields
In addition to encrypting our entire database, we also encrypt specific pieces of sensitive data with a separate encryption key. This is akin to locking that data inside a safe that itself is locked inside a larger safe. In this way, even if a hacker got access to the key and could read our main database, they would run into data encrypted with a different key within the database, making those sensitive fields look like gibberish to them.
Canua will never ask for your financial details
We will never ask you for non-public information about your accounts via email or messenger. The only time you will need to use your account details is when you're connecting your accounts to Canua. This process is handled securely by Plaid (for US and Canadian accounts) and Yapily (for UK and EU accounts). You can find out more about how we connect to your accounts here.
Tips to help you stay safe
Most successful hacks these days are not a result of hackers breaking algorithms but a result of hackers tricking humans. Social engineering attacks are "the psychological manipulation of people into performing actions or divulging confidential information". Phishing is an example of a social engineering attack. Here are a few tips that can help you keep your data safe, both on Canua and more generally.
Use a password manager like 1Password to generate unique passwords for every service you use.
Turn on two-factor authentication everywhere. 1Password has a really nice built-in way to manage the 2FA codes for you. Turning on 2FA is especially important for your Google account since that serves as your login for Canua as well.
Check links in emails carefully before following them. Phishing scams often try to use official-looking emails but then send you to malicious websites.