Security and privacy at Candu

Candu is committed to the highest standards of security while managing your customer data.

why candu?

Why Candu?

Built for scale

Candu is deployed over AWS, and high throughput data processing code is hosted using AWS Lambda to ensure the highest availability and scalability levels.

Highly performant

Candu uses CDNs hosted by S3 and Cloudflare to publish content to the frontend. CDNs allow us to maximize upload speeds so that Candu content loads along with the other components in your application.


The Candu SDK is installed within your application to provide dynamic segmentation and user analytics and to render the UI. Our SDK is engineered to handle multiple failure points. You can read more about the SDK API here.

Growflow logo
Gorgias logo
Thought Industries logo
Launch Darkly logo
career plug logo
integromat logo


Brand control
and style guide

Match your brand’s fonts, colors, and more.

access controls

Control who does what with separation of privileges.


Facilitate collaboration between teams with a single account.


Seamless integrations mean Candu fits right into your product stack.

and analytics

Powerful analytics show you what’s working and what needs improvement.


We follow industry-standard end-to-end encryption methods and use best-in-class vendors for cloud and application security.


We take your privacy seriously!
For details on how we protect your personal information, view our Privacy Statement.

and support

Responsive technical support and guaranteed SLAs keep you up and running.

HOW it works


How it works diagramHow it works diagram


GDPR badge


With data protection and privacy built into everything we do, Candu is fully GDPR-compliant. We meet stringent international security standards, and we undertake comprehensive audits of our policies, networks, and systems to keep your information secure.

Our Terms of Use, Privacy Policy, and Processing Addendum (DPA) are up to date and reflect our GDPR readiness.

GDPR badge
SOC 2 badge

Security & compliance credentials

Candu does not require any personally identifiable information (PII) to be passed to the service, nor do we actively collect any PII from our customers.

In accordance with GDPR practices, Candu will delete all of your customer data and will provide an export of customer data in JSON format within 30 days of receiving a written request.

Candu is SOC 2-compliant and received certification in July 2021.

SOC 2 badge

Frequently asked questions

Where and how does Candu store data?

Every aspect of the Candu application is encrypted. Our servers enforce HTTPS protocol by using TSL 1.2. Internally, our servers communicate exclusively using HTTPS.

Our data is stored entirely on Amazon Web Services (AWS) using the Advanced Encryption Standard (AES). Any server-side secret is stored and accessed via AWS Key Management Service. We rotate sensitive keys and expire critical keys.

All backups are encrypted and stored using AES-256 in secure cloud locations within the EU.

Does Candu collect any personally identifying information?

No. Candu does not require any personally identifiable information (PII) to be passed to the service, nor do we actively collect any PII from our customers.

Candu also gives you fine control of all the analytics that you send to our servers. You can use your eventing libraries to customize exactly which information we receive, so you can be confident we are only tracking information that you want to share.

What are your business continuity plans in case of a service issue?

All components (e.g., Content, Segments) in the SDK are wrapped with error boundaries to prevent JavaScript-related errors from propagating outside the Candu SDK and impacting our clients. If the error boundaries receive any errors, those are logged in the Candu tracking system.

If Candu encounters a JavaScript error in customer code, or if an error happens anywhere in the Candu SDK, those errors are logged in the Candu tracking system for immediate review. If for any reason there is an undetected error, Candu automatically drops rendering and will not display any content in order to protect page performance.

What SLAs does Candu support?

At Candu, we take our SLA and partner operations extremely seriously. We strive to maintain a 99.9% SLA in all of our APIs and frontend assets.

SLA monitoring is done through third-party integration monitoring. We currently ping 10+ APIs for uptime, as well as other critical aspects of our infrastructure that we use to provide these services.

All the tests are performed from seven different locations around the world (Canada Central, Ohio, Oregon, Sydney, Tokyo, Frankfurt, London) to ensure we maintain availability within and throughout different regions.
All critical integration tests are performed each minute.

If any alerts were to fail, our team would be notified immediately, as outlined in our escalation policy.

Does Candu content affect page performance?

Improving page performance is critical to any product, and we measure ourselves by the same standard as internal libraries used by any development team. The Candu SDK is designed to minimize the performance impact of installing it on any page, and we are continually working to increase its performance.

More questions? Contact our Security team.

Contact Now

Go your own way

Pick a template, or build from scratch. We’ve got you covered!

Get Started for Free
Or Schedule a Demo