Security and privacy at Candu

Candu is committed to the highest standards of security while managing your customer data.

why candu?

Why Candu?

Built for scale

Candu is deployed over AWS, and high throughput data processing code is hosted using AWS Lambda to ensure the highest availability and scalability levels.

Highly performant

Candu uses CDNs hosted by S3 and Cloudflare to publish content to the frontend. CDNs allow us to maximize upload speeds so that Candu content loads along with the other components in your application.


The Candu SDK is installed within your application to provide dynamic segmentation and user analytics and to render the UI. Our SDK is engineered to handle multiple failure points. You can read more about the SDK API here.

Thought Industries logo

Enterprise-ready security

Data encryption

We use industry-standard end-to-end encryption methods. All customer data is encrypted in transit and is only accessible via TLS/SSL and at rest with AES256.

access controls

Set permissions and access controls for your Candu users based on specific roles and privileges within your organization.

Data security

Candu limits data access using a least privilege principle, encrypts all passwords & tokens and uses best-in-class vendors for cloud and application security.

Incident response

Candu maintains strict protocols for handling security events including escalation procedures, rapid response & mitigation and post mortem.

Data Segregation & PII

Customer data is logically separated from each other and personally identifiable information is not required to use Candu.

Uptime & reliability

Candu is committed to maintaining a 99.9% SLA to ensure all customers have uninterrupted uptime.


We take your privacy seriously!
For details on how we protect your personal information, view our Privacy Statement.

Staged SDK releases

Candu only release updates to our CDN SDK after thorough testing in staging environments and stagger releases to our customer base.

HOW it works


How it works diagramHow it works diagram


GDPR badge


With data protection and privacy built into everything we do, Candu is fully GDPR-compliant. We meet stringent international security standards, and we undertake comprehensive audits of our policies, networks, and systems to keep your information secure.

Our Terms of Use, Privacy Policy, and Processing Addendum (DPA) are up to date and reflect our GDPR readiness.

GDPR badge
SOC 2 badge

Security & compliance credentials

Candu does not require any personally identifiable information (PII) to be passed to the service, nor do we actively collect any PII from our customers.

In accordance with GDPR practices, Candu will delete all of your customer data and will provide an export of customer data in JSON format within 30 days of receiving a written request.

Candu is SOC 2® compliant and received certification in August 2022.


Frequently asked questions

Where and how does Candu store data?

Every aspect of the Candu application is encrypted. Our servers enforce HTTPS protocol by using TSL 1.2. Internally, our servers communicate exclusively using HTTPS.

Our data is stored entirely on Amazon Web Services (AWS) using the Advanced Encryption Standard (AES). Any server-side secret is stored and accessed via AWS Key Management Service. We rotate sensitive keys and expire critical keys.

All backups are encrypted and stored using AES-256 in secure cloud locations within the EU.

Does Candu collect any personally identifying information?

No. Candu does not require any personally identifiable information (PII) to be passed to the service, nor do we actively collect any PII from our customers.

Candu also gives you fine control of all the analytics that you send to our servers. You can use your eventing libraries to customize exactly which information we receive, so you can be confident we are only tracking information that you want to share.

Identify verification can be enabled to ensure data integrity for any information you do choose to send to Candu.

What are your business continuity plans in case of a service issue?

All components (e.g., Content, Segments) in the SDK are wrapped with error boundaries to prevent JavaScript-related errors from propagating outside the Candu SDK and impacting our clients. If the error boundaries receive any errors, those are logged in the Candu tracking system.

If Candu encounters a JavaScript error in customer code, or if an error happens anywhere in the Candu SDK, those errors are logged in the Candu tracking system for immediate review. If for any reason there is an undetected error, Candu automatically drops rendering and will not display any content in order to protect page performance.

What SLAs does Candu support?

At Candu, we take our SLA and partner operations extremely seriously. We strive to maintain a 99.9% SLA in all of our APIs and frontend assets.

SLA monitoring is done through third-party integration monitoring. We currently ping 10+ APIs for uptime, as well as other critical aspects of our infrastructure that we use to provide these services.

All the tests are performed from seven different locations around the world (Canada Central, Ohio, Oregon, Sydney, Tokyo, Frankfurt, London) to ensure we maintain availability within and throughout different regions.
All critical integration tests are performed each minute.

If any alerts were to fail, our team would be notified immediately, as outlined in our escalation policy.

Does Candu content affect page performance?

Improving page performance is critical to any product, and we measure ourselves by the same standard as internal libraries used by any development team. The Candu SDK is designed to minimize the performance impact of installing it on any page, and we are continually working to increase its performance.

Does Candu conduct security audits?

Yes Candu engages third-party security experts on an annual basis to perform a detailed penetration test on the Candu application and infrastructure.

Does Candu have an Information Security Policy (ISP)?

Candu maintains a robust ISP that is trained out to all new personnel during onboarding and all current employees attend an annual training session.

Is Data encrypted?

All data hosted by Candu is encrypted and stored within AWS.

Once we have installed Candu, can I control when we update the Candu SDK?

We allow customers to control their own updates to allow for internal testing protocols to be carried out. We can discuss this with you during installation.

More questions? Contact our Security team.

Contact Now

Turn your ideas into UX today

Get a custom walkthrough of Candu

Request free trial