Deployed across multiple AWS availability zones with automatic fail-over and scale-out—delivering consistent performance and 99.9 % uptime under any load.
Content is served from Cloudflare + S3 CDNs so it loads in parallel with your own assets—no blocking requests, no layout shift.
The Candu SDK fails open: if our service is unreachable, your page still renders and records zero blocking errors.
Encryption
TLS 1.3 in transit; AES-256 at rest with daily encrypted backups.
Role-based
access controls
Fine-grained roles and SSO/SAML support.
Least-privilege model
Production data accessible only to on-call engineers.
Incident response
24×7 monitoring, <30-minute pager duty, and post-mortems shared on request.
Data segregation
Tenant data is logically isolated by Account ID; per-tenant AES-256 keys in AWS KMS keep every workspace cryptographically separate.
Uptime
99.9 % SLA, independently monitored from 7 global locations.
Privacy & compliance
GDPR / CPRA ready: no sale or share of personal data, EU storage by default, and DPA + 2021 SCCs available for every customer.
Staged SDK releases
Every SDK build graduates from staging → canary → GA.
Candu does not require any personally identifiable information (PII) to be passed to the service, nor do we actively collect any PII from our customers.
GDPR & UK GDPR | EU data residency by default (AWS eu-west-1), no sale/share of personal data, and pre-signed Processing Addendum (DPA)
U.S. state laws | Service-Provider status under CPRA, CPA, VCDPA, UCPA; DPA § 2.5 forbids downstream sale.
Data retention | 30-day purge of live and backup data after contract termination; export in JSON on request.
SOC 2 Type II | Audited for Security · Availability · Confidentiality (period: Dec 2023 – Nov 2024). Full report under NDA.
All customer data resides in AWS eu-west-1 (Dublin, Ireland). Backups stay in the same region.Every aspect of the Candu application is encrypted. Our servers enforce HTTPS protocol by using TSL 1.2. Internally, our servers communicate exclusively using HTTPS.
Data is deleted within 30 days of contract termination and backup copies are purged on the same schedule.No. Candu does not require any personally identifiable information (PII) to be passed to the service, nor do we actively collect any PII from our customers.
Yes—TLS 1.3 for transport, AES-256 for storage. Secrets are managed in AWS KMS.All components (e.g., Content, Segments) in the SDK are wrapped with to prevent JavaScript-related errors from propagating outside the Candu SDK and impacting our clients. If the error boundaries receive any errors, those are logged in the Candu tracking system.
At Candu, we take our SLA and partner operations extremely seriously. We maintain 99.9 % over a calendar month.
SLA monitoring is done through third-party integration monitoring. We currently ping 10+ APIs for uptime, as well as other critical aspects of our infrastructure that we use to provide these services.
All the tests are performed from seven different locations around the world (Canada Central, Ohio, Oregon, Sydney, Tokyo, Frankfurt, London) to ensure we maintain availability within and throughout different regions.
All critical integration tests are performed each minute.
If any alerts were to fail, our team would be notified immediately, as outlined in our escalation policy.
Never. Our DPA (Section 2.5) contractually forbids data sale or sharing.
Email [email protected]; we respond within 30 days.
See the live list of Candu Sub-processors (auto-updated). Each vendor is bound by SCCs and undergoes an annual security review.
Not at all.
The core SDK is ≈ 45 kB gzipped (about the size of a tiny PNG) and is loaded asynchronously, so it never blocks First Contentful Paint.
We use Mutation Observers—not timers or heavy polling—so the script wakes up only when a target element actually appears in the DOM.
The bundle is served from Cloudflare + your browser’s HTTP/2 cache, so repeat visits cost 0 bytes on the network.
In short, Candu adds personalization without touching your performance budget—or your Core Web Vitals.
More questions? Contact our Security team.
Contact Security