We have a dedicated security team that assists with customer security questions as well as ensuring the business remains ISO27001 compliant. They also coordinate third party penetration tests so the platform remains secure.

ISO27001 certified

Flourish is certified to the internationally recognized info-security standard ISO27001 by the British Standards Institute.

Encryption

We keep visualizations secure in transit and at rest. In transit, visualizations are only accessible via TLS/SSL and at rest, visualizations are encrypted with AES256.

Staged releases

We only release software after qualifying it in development and staging environments

Data security

Our people and systems can only access the data they need to do their job and we store your projects with cloud providers who have top-tier physical security controls.

Secure development practice

We peer review and test our code prior to release, including manual and automated checks for security issues.

Hosted by AWS

Our cloud service provider is Amazon Web Service (AWS). Customer Projects are primarily hosted in the EEA.

Our Enterprise plan offers powerful security features, including:

Password policies

Set your own password policy, eg. required combinations of character types.

Enforce two-factor authentication<

Make sure everyone in your team is using 2FA.

Approval policies

Determine who, if anyone, can publish and whether they need approval.

Session duration control

Specify the expiry time for user's session cookies across your company.

InfoSec vendor process

Access to our InfoSec team and Whistic profile.

SSO

Manage your users via SAML-based SSO.

Frequently asked questions

Unpublished projects are only ever visible to you or your colleagues unless you specifically publish them publicly. On an Enterprise account, you can also choose to publish behind a password and even restrict who, if anyone, is allowed to publish via approval workflows.



Flourish is ISO27001-certified. This certification means that, as an organization, we have the people, processes and systems in place to effectively identify, assess, treat and monitor our information security risks. It means that we aim to have security built into every facet of our operations, and that we strive to improve our security posture through a process of continuous improvement.



The Security for the Flourish product is maintained by the the Security team of our parent company, Canva.

Our scope includes governance, risk & compliance, security operations and incident response, cloud and application security. There is dedicated Information Security staff in the UK.



Yes. Our ISO27001 certification requires us to have annual external audits of our information security management system and security controls.



We conduct penetration testing on at least a yearly basis, including both white-box and black-box testing. The respective engagements can be ran either by an external third-party, or Canva’s own red team.

We have also partnered with BugCrowd to run a public bug bounty program, providing continuous crowdsourced security testing. Please feel free to let us know of any bugs you encounter by emailing us at security@flourish.studio.



Flourish platform is hosted in the cloud in an encrypted database. All customer Projects are hosted by AWS and primarily stored within the EEA in Dublin, Ireland.

Our systems are only accessible by people and services who need it, using the principle of least privilege. The Flourish database is encrypted using AES256 which means that your data is unreadable by someone with access to our AWS environment.



Flourish is registered with the ICO in the UK but has users in many countries that each have their own laws about data privacy and security.

Our legal team continually monitors the evolving regulatory landscape to identify changes and determine what action Flourish needs to take to uphold our obligations in each jurisdiction.

To find out more, please read our Privacy Policy.




More resources