Security and Compliance Architecture
Kycanvas processes identity documents and personal data on behalf of our customers. Here is exactly how we handle it.
How we handle identity data
Kycanvas processes identity documents and personal data as a data processor on behalf of fintech customers — not as a data controller selling data or using it for independent purposes. The identity data your customers submit belongs to your customers and to you. We treat this responsibility seriously.
Encryption at rest
All identity documents and personal data are encrypted at rest using AES-256. Encryption keys are managed via a dedicated key management system with rotation policies. No plain-text personal data is stored.
TLS 1.3 in transit
All data in transit is protected by TLS 1.3. Older TLS versions are disabled. Certificate management follows industry best practices with automated renewal.
Document deletion policy
Identity documents are processed and deleted per your customer-configured retention policy. No documents are stored longer than the period your compliance program requires. Default policy: document images deleted after verification completion; structured data retained per your retention configuration.
Role-based access controls
RBAC across all Kycanvas systems — production access limited to authorized personnel only. All access is logged and regularly reviewed. SSO integration is on the roadmap for enterprise customers.
Audit log
Every verification decision, AML screening event, monitoring alert, and administrative action is logged with timestamps and immutable records. Full audit log exportable for compliance program documentation and regulatory examination.
SOC 2 Type II — in progress
SOC 2 Type II audit is planned and in preparation. No SOC 2 certification is currently claimed. This section will be updated when certification is achieved. We believe in transparency over premature certification claims.
What Kycanvas is — and is not
Kycanvas software provides tools to automate parts of your KYC and AML compliance program. Kycanvas does not provide legal, regulatory, or compliance advice, and use of Kycanvas does not constitute certification of compliance with BSA, AML, KYC, OFAC, FinCEN, or any other regulatory requirement. Your organization remains responsible for its compliance program and must maintain a qualified BSA/AML Officer as required by applicable law.
This disclaimer is not boilerplate. It reflects the actual regulatory structure: a software vendor providing KYC/AML tools cannot certify a financial institution's compliance with BSA/AML/OFAC requirements — that responsibility lies with the institution and its designated compliance officer. Kycanvas is designed to support your program, not to replace your program officer or your regulatory obligations.
Responsible disclosure
If you discover a security vulnerability in Kycanvas systems, please report it to our security team. We review all reports and respond within 48 hours. We do not take legal action against researchers who responsibly disclose vulnerabilities.
[email protected]Security questions? Talk to our team.
We are happy to answer security and data handling questions before you start a pilot.
Contact Us