Canvas Envision is SOC 2 Type 2 compliant.
Security teams can request the SOC 2 report, security questionnaire responses, and sub‑processor lists through customer success or sales. under NDA.
Canvas Envision is SOC 2 Type 2 compliant. The platform is built on defense‑in‑depth principles, with customer data encrypted, isolated, and continuously audited.

Security teams can request the SOC 2 report, security questionnaire responses, and sub‑processor lists through customer success or sales. under NDA.
SOC 2 Type 2 report
Security questionnaire responses
Sub‑processor list
Architecture brief
DPA (covered jurisdictions)
Security is implemented in six layers, each with its own controls and audited as part of SOC 2.
Cloud provider security with GovCloud variants for regulated workloads, with controls inherited from the underlying cloud provider and additional controls layered on top.
Encryption in transit (TLS 1.2+), network segmentation, and firewall and access controls.
Authentication (OAuth 2.0, SSO via SAML/OIDC, MFA), authorization (role-based access control), input validation, and secure development practices.
Encryption at rest (AES-256), key management, data classification, customer data isolation in multi-tenant deployments, and full isolation in single-tenant deployments.
Logging, monitoring, incident response, vulnerability management, third-party security testing, and employee security training.
SOC 2, internal audit, vendor security review, and customer security commitments.
Canvas Envision deploys in the model that fits your security, compliance, and sovereignty requirements.
AWS‑hosted and SOC 2 Type 2.
For enterprise customers with strict isolation requirements.
Sovereign and regulated workloads.
High‑security or classified environments.
Enterprise buyers ask about AI data handling more than any other security topic. The answers are below.
Customer content is processed at runtime through governed mechanisms. It is not retained for training Evie or any of the underlying foundation models.
Evie is an agentic orchestration that uses multiple foundation models under the hood, including Anthropic Claude (via AWS Bedrock) and Google Gemini (via Google Vertex AI). Customer data is never sent directly to Anthropic or Google. All model inference runs through enterprise cloud services with their own contractual data-handling commitments. The orchestration layer picks the best model for each task and continuously optimizes the selection as capabilities and costs evolve. Sub-agents that drive the authoring environment are trained on the Envision Create SDK on top of these foundation models.
All foundation-model calls are routed through enterprise cloud services — AWS Bedrock for Anthropic Claude and Google Vertex AI for Google Gemini. Customer data does not leave these managed environments. Encryption in transit to each service. Contractual data-handling commitments at the cloud-provider level. The no-training-on-customer-data commitment applies across all providers.
GovCloud is available for regulated and sovereign workloads.
AI capabilities can be configured at the organization level through Admin settings. Individual users cannot disable or override these controls.
Need an answer that isn't here? Talk to Security and we'll get you what you need under NDA.
Yes. SOC 2 Type 2.
Through your customer success or sales contact, under NDA. The SecureFrame trust portal will provide self-serve access.
SOC 2 Type 2 is the current posture. Additional frameworks may be added.
Yes. Multi-tenant deployments are AWS-hosted with regional options. Private single-tenant deployments support data residency in customer-specified regions. GovCloud supports sovereign and regulated workloads.
GovCloud is available for sovereign and regulated workloads.
Yes. AES-256 at rest. TLS 1.2+ in transit.
Industry-standard key management practices. Detailed architecture available under NDA.
Yes. Multi-tenant data isolation is enforced at the application and data layers. Single-tenant deployments provide full isolation.
Customer data is retained per the contractual agreement. On contract termination, customer data is deleted on the timeline specified in the agreement; full export is available before deletion.
Yes. Full export is available.
Available through customer success, or via the SecureFrame trust portal.
Yes. SAML and OIDC.
Supported. Configurable at the organization level.
Role-based access at the platform level for authoring, viewing, and administrative functions. Named-user permissions in Envision Operator support per-user data tracking and traceability.
Yes. Frequency disclosed through customer success.
Yes. Contact security@canvasenvision.com to report a vulnerability.
Secure development practices include code review, dependency scanning, security testing, and continuous monitoring.
Defined incident response procedures with customer notification commitments per contract. Detailed process available under NDA.
Yes. Notification timeline is per contractual commitment.
Multi-region redundancy on the cloud provider. RTO and RPO commitments available under NDA.
Evie's orchestration uses Anthropic Claude (via AWS Bedrock) and Google Gemini (via Google Vertex AI). Customer data is never sent directly to Anthropic or Google. The orchestration layer picks the best model for each task and continuously optimizes the selection.
No. Customer production data is not used to train Evie or any of the underlying foundation models. This commitment is enforced at the cloud-provider level through AWS Bedrock and Google Vertex AI data-handling agreements.
All foundation-model calls route through enterprise cloud services — AWS Bedrock for Anthropic Claude, Google Vertex AI for Google Gemini. Customer data does not leave these managed environments and is not sent to model providers directly. Encryption in transit. Contractual data-handling commitments at the cloud-provider level. The no-training-on-customer-data commitment applies across all providers.
Yes. Outputs are stored as part of the customer's Envision content and follow the standard data-protection controls (encryption at rest, role-based access, customer data isolation).
Yes. AI features are configurable at the organization level.
Yes. GovCloud is available for sovereign and regulated workloads.
OAuth 2.0, service accounts, and API tokens.
Webhooks are signed; receivers verify signatures before processing.
The customer is responsible for the security of customer-built integrations under the shared-responsibility model. Canvas Envision is responsible for the Envision SDK itself and the platform's authentication and authorization.
Privacy posture is documented in the Privacy Policy. DPAs are available for customers in covered jurisdictions.
Privacy Policy is linked in the footer. DPAs are available through customer success.
Canvas Envision brings AI‑powered authoring, interactive 3D work instructions, and connected execution to your manufacturing teams from engineering to the floor.
