Privacy Policy

Kanonika Inc. (“Kanonika”, “we”) operates the Kanonika Security Execution Platform — software that detects security and compliance issues across hybrid infrastructure, plans remediations, executes approved fixes, verifies them, and records immutable evidence. This policy explains what data we handle and how we protect it, for both the platform and this website.

Account & identity: name, work email, role, and organization — provided when an account is created or via your single sign-on (SSO) identity provider.

Customer infrastructure data: security findings, asset and configuration metadata, vulnerability and patch state, remediation plans and history, and audit records — drawn from the sources you connect (e.g. AWS Inspector, Microsoft Defender for Endpoint, GitHub/NVD advisories, AWS Health) and from agents you deploy.

Operational telemetry: agent and service logs, job execution records, and system events needed to run, secure, and support the platform.

Website data: standard server logs and a small number of strictly-necessary cookies (authentication/session and a UI theme preference). We do not use third-party advertising or cross-site tracking.

To provide the service — detect, plan, remediate, verify, and prove — and to keep your tenant secure, supported, and operating correctly.

To maintain auditability: changes and decisions are written to a tamper-evident ledger so you (and your auditors) have a verifiable record.

To improve reliability and the product in aggregate. We process the minimum necessary for each purpose.

For account and identity data, Kanonika decides how it is handled. For the infrastructure data you bring into the platform, your organization decides what is collected and how it is used — Kanonika processes it on your organization's behalf and on its instructions.

We do not sell personal information.

Kanonika does not use your data to train AI models.

Your tenant's data is isolated from other customers' by design.

Amazon Web Services — cloud hosting and data storage, in the United States (US West / Oregon, us-west-2).

Neon — managed PostgreSQL database for the platform portal (account, organization, and finding records).

Anthropic — large-language-model processing (via its commercial API) for remediation planning and natural-language features.

Sources you connect (e.g. Microsoft Defender) remain under your control and your agreements with those providers. We share data with sub-processors only as needed to deliver the service.

Encryption at rest (AES-256 via AWS KMS, per-service keys with rotation) and in transit (TLS 1.3 on a mutually-authenticated control channel). Tenant-scoped access with role-based controls, signed-and-verified remediation actions, and an immutable evidence ledger. See our Security page for the current controls.

We retain data for as long as your account is active and as needed to provide the service.

Audit-ledger evidence is written to immutable (WORM) storage for up to 7 years to support compliance — by design it cannot be altered or deleted during that period. The ledger records infrastructure and remediation evidence, not marketing profiles.

When you ask us to delete your personal information, we do so to the extent technically and legally possible. We cannot remove records held in the immutable audit ledger until their retention period ends.

Kanonika operates from Canada. The platform and its data are stored and processed in the United States — Amazon Web Services (US West / Oregon, us-west-2) and Neon (managed PostgreSQL).

Using the service therefore involves transferring data from Canada to the United States. We do not currently target or operate in other regions; if that changes, we will update this policy and the safeguards it describes.

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), you may ask to access the personal information we hold about you and to have it corrected, and you may withdraw consent, subject to legal and contractual limits. To make a request, contact us below; we respond as PIPEDA requires.

For infrastructure data, please contact your organization (our customer) — it directs how that data is handled.

We'll update this policy as the platform evolves and post the revised version here with a new effective date. Material changes will be communicated to account administrators.

Kanonika has a designated contact accountable for privacy. Questions, access or correction requests, or to report a concern: privacy@kanonika.io — Kanonika Inc., Alberta, Canada.

If a breach of security safeguards creates a real risk of significant harm, we will notify affected individuals and the Office of the Privacy Commissioner of Canada, and keep records of breaches, as PIPEDA requires.