Security at Canvas Envision.

Canvas Envision is SOC 2 Type 2 compliant. The platform is built on defense‑in‑depth principles, with customer data encrypted, isolated, and continuously audited.

Request Security Documentation
Arrow
Request Security Documentation
Visit the Trust Portal
Visit the Trust Portal
SOC 2
Type 2
AES‑256
at rest
TLS 1.2+
in transit
SSO
SAML / OIDC
AWS
GovCloud
[ Compliance ]

SOC 2 Type 2 today.

[ CURRENT POSTURE ]

Canvas Envision is SOC 2 Type 2 compliant.

Security teams can request the SOC 2 report, security questionnaire responses, and sub‑processor lists through customer success or sales. under NDA.

Note
Now with Evie AI Assistant
Request security documentation
Arrow
Request security documentation
Trust Portal
Trust Portal
[ AVAILABLE UNDER NDA ]

What you can request

SOC 2 Type 2 report

Security questionnaire responses

Sub‑processor list

Architecture brief

DPA (covered jurisdictions)

[ Defense in Depth ]

How we operate at every layer.

Security is implemented in six layers, each with its own controls and audited as part of SOC 2.

LAYER 01

Physical & Infrastructure

Cloud provider security with GovCloud variants for regulated workloads, with controls inherited from the underlying cloud provider and additional controls layered on top.

LAYER 02

Network

Encryption in transit (TLS 1.2+), network segmentation, and firewall and access controls.

TLS 1.2+
Segmentation
Firewall
LAYER 03

Application

Authentication (OAuth 2.0, SSO via SAML/OIDC, MFA), authorization (role-based access control), input validation, and secure development practices.

OAuth 2.0
SAML/OIDC
SSO
MFA
RBAC
Secure SDLC
LAYER 04

Data

Encryption at rest (AES-256), key management, data classification, customer data isolation in multi-tenant deployments, and full isolation in single-tenant deployments.

AES-256
Key management
Data isolation
LAYER 05

Operational

Logging, monitoring, incident response, vulnerability management, third-party security testing, and employee security training.

Logging
Monitoring
Incident response
Pen testing
LAYER 06

Governance

SOC 2, internal audit, vendor security review, and customer security commitments.

SOC 2
Internal audit
Vendor review
[ Deployment ]

Deploy where your data lives.

Canvas Envision deploys in the model that fits your security, compliance, and sovereignty requirements.

Standard

Public multi‑tenant SaaS

AWS‑hosted and SOC 2 Type 2.

Isolated

Private single‑tenant

For enterprise customers with strict isolation requirements.

Regulated

GovCloud

Sovereign and regulated workloads.

Classified

On‑premises

High‑security or classified environments.

[ AI Security ]

Direct answers about how AI handles your data.

Enterprise buyers ask about AI data handling more than any other security topic. The answers are below.

Customer production data is not used to train Evie or any underlying AI model.

Customer content is processed at runtime through governed mechanisms. It is not retained for training Evie or any of the underlying foundation models.

Foundation model providers

Evie is an agentic orchestration that uses multiple foundation models under the hood, including Anthropic Claude (via AWS Bedrock) and Google Gemini (via Google Vertex AI). Customer data is never sent directly to Anthropic or Google. All model inference runs through enterprise cloud services with their own contractual data-handling commitments. The orchestration layer picks the best model for each task and continuously optimizes the selection as capabilities and costs evolve. Sub-agents that drive the authoring environment are trained on the Envision Create SDK on top of these foundation models.

Data handling per provider

All foundation-model calls are routed through enterprise cloud services — AWS Bedrock for Anthropic Claude and Google Vertex AI for Google Gemini. Customer data does not leave these managed environments. Encryption in transit to each service. Contractual data-handling commitments at the cloud-provider level. The no-training-on-customer-data commitment applies across all providers.

Sovereign & regulated workloads

GovCloud is available for regulated and sovereign workloads.

AI feature controls

AI capabilities can be configured at the organization level through Admin settings. Individual users cannot disable or override these controls.

[ Shared Responsibility ]

What we do. What you do.

Our Side
 ]

Canvas Envision

We are responsible for the platform itself.

Platform security

Cloud infrastructure

Application security

Encryption (in transit and at rest)

Authentication and authorization mechanisms

Logging and monitoring of platform activity

Incident response for platform security events

Compliance maintenance (SOC 2 audits and additional frameworks as added)

Your Side
 ]

The customer

You are responsible for what runs on top.

User provisioning and de‑provisioning

Role assignments and access reviews

Customer‑built integrations developed on the Envision SDK

Data classification within the customer's content

Configuration of platform features (which AI features are enabled, gadget configurations, etc.)

Customer‑side credential management

[ WHERE WE WORK TOGETHER ]
Sub‑processor changes are communicated proactively. Security questionnaires are answered through customer success and sales, or via the secureframe trust portal.
Trust Portal
Arrow
Trust Portal
[ FAQs ]

Frequently asked questions.

Need an answer that isn't here? Talk to Security and we'll get you what you need under NDA.

Is Canvas Envision SOC 2 compliant?

Yes. SOC 2 Type 2.

Where can I get a copy of the SOC 2

Through your customer success or sales contact, under NDA. The SecureFrame trust portal will provide self-serve access.

What other compliance frameworks does Canvas Envision hold?

SOC 2 Type 2 is the current posture. Additional frameworks may be added.

Does Canvas Envision support data residency in specific regions?

Yes. Multi-tenant deployments are AWS-hosted with regional options. Private single-tenant deployments support data residency in customer-specified regions. GovCloud supports sovereign and regulated workloads.

Does Canvas Envision support GovCloud?

GovCloud is available for sovereign and regulated workloads.

Is customer data encrypted at rest and in transit?

Yes. AES-256 at rest. TLS 1.2+ in transit.

How are encryption keys managed?

Industry-standard key management practices. Detailed architecture available under NDA.

Is customer data isolated in multi-tenant deployments?

Yes. Multi-tenant data isolation is enforced at the application and data layers. Single-tenant deployments provide full isolation.

What is your data retention policy?

Customer data is retained per the contractual agreement. On contract termination, customer data is deleted on the timeline specified in the agreement; full export is available before deletion.

Can customers export their data?

Yes. Full export is available.

What is your sub-processor list?

Available through customer success, or via the SecureFrame trust portal.

Does Canvas Envision support SSO?

Yes. SAML and OIDC.

Is MFA required or supported?

Supported. Configurable at the organization level.

How is role-based access control implemented?

Role-based access at the platform level for authoring, viewing, and administrative functions. Named-user permissions in Envision Operator support per-user data tracking and traceability.

Does Canvas Envision conduct third-party penetration testing?

Yes. Frequency disclosed through customer success.

Is there a vulnerability disclosure program?

Yes. Contact security@canvasenvision.com to report a vulnerability.

What is the secure development lifecycle?

Secure development practices include code review, dependency scanning, security testing, and continuous monitoring.

What is the incident response process?

Defined incident response procedures with customer notification commitments per contract. Detailed process available under NDA.

Will Canvas Envision notify customers if there is a security incident affecting their data?

Yes. Notification timeline is per contractual commitment.

What is the business continuity / disaster recovery posture?

Multi-region redundancy on the cloud provider. RTO and RPO commitments available under NDA.

What foundation models does Evie use?

Evie's orchestration uses Anthropic Claude (via AWS Bedrock) and Google Gemini (via Google Vertex AI). Customer data is never sent directly to Anthropic or Google. The orchestration layer picks the best model for each task and continuously optimizes the selection.

Is customer data used to train Evie or any third-party AI models?

No. Customer production data is not used to train Evie or any of the underlying foundation models. This commitment is enforced at the cloud-provider level through AWS Bedrock and Google Vertex AI data-handling agreements.

How does Evie handle customer data when processing AI requests?

All foundation-model calls route through enterprise cloud services — AWS Bedrock for Anthropic Claude, Google Vertex AI for Google Gemini. Customer data does not leave these managed environments and is not sent to model providers directly. Encryption in transit. Contractual data-handling commitments at the cloud-provider level. The no-training-on-customer-data commitment applies across all providers.

Are AI-processed outputs stored, and with what controls?

Yes. Outputs are stored as part of the customer's Envision content and follow the standard data-protection controls (encryption at rest, role-based access, customer data isolation).

Can customers opt out of AI features?

Yes. AI features are configurable at the organization level.

For sovereign or regulated workloads, can Evie operate within a GovCloud or equivalent regulated environment?

Yes. GovCloud is available for sovereign and regulated workloads.

How are Envision SDK API calls authenticated?

OAuth 2.0, service accounts, and API tokens.

How are webhooks secured?

Webhooks are signed; receivers verify signatures before processing.

If a customer builds a custom integration via Envision SDK, who is responsible for its security?

The customer is responsible for the security of customer-built integrations under the shared-responsibility model. Canvas Envision is responsible for the Envision SDK itself and the platform's authentication and authorization.

Is Canvas Envision GDPR / CCPA compliant?

Privacy posture is documented in the Privacy Policy. DPAs are available for customers in covered jurisdictions.

Where is the Privacy Policy / DPA?

Privacy Policy is linked in the footer. DPAs are available through customer success.

Talk to Security
Arrow
Talk to Security

Experience the
Visual Execution Platform.

Canvas Envision brings AI‑powered authoring, interactive 3D work instructions, and connected execution to your manufacturing teams from engineering to the floor.

EXPLORE THE VISUAL EXECUTION PLATFORM
Arrow
EXPLORE THE VISUAL EXECUTION PLATFORM
REQUEST A DEMO
REQUEST A DEMO