How Canva Embeds Security and AI in Enterprise Platforms

When Duncan Clark set out to build Flourish, his goal extended beyond intuitive data communication.

Today, as Head of EMEA at Canva and CEO of Flourish, Duncan operates at the intersection of visual communication, data-driven decision-making and the security challenges that come with enterprise-scale AI adoption.

The platform now serves 95% of Fortune 500 companies, each with demanding security requirements and complex data governance needs.

This presents a unique challenge: how do you democratise design tools powered by generative AI while maintaining the security posture that enterprise clients demand?

"We think about this not only from the perspective of certifications like SOC 2 and the International Organization for Standardization (ISO) 27001, but also from the day-to-day reality of 'are we acting in the most responsible way possible?'" Duncan says.

"We also think really hard about security when it comes to AI as well as trust and safety more generally."

That security-first approach underpins every feature Canva releases, from AI assistants that can be tagged in design comments to live data connectors pulling information from platforms like Google Analytics and HubSpot.

Securing AI-powered workflows at scale

In the enterprise design space, there's significant concern about the security implications of AI adoption.

Organisations worry about data leakage, intellectual property protection and the legal risks of AI-generated content.

Canva's response has been to build security and indemnification directly into its AI capabilities.

"For example we offer indemnification for Gen AI in our platform for our enterprise customers so that they can have the confidence that their staff can use AI safely without a legal risk to the company," Duncan explains.

This legal protection addresses one of the most pressing concerns for security officers: the potential liability when employees use generative AI tools.

By offering indemnification, Canva assumes the legal risk, allowing organisations to adopt AI-powered creativity without exposing themselves to copyright claims or regulatory penalties.

The platform's AI systems are designed with multiple layers of control.

Recent capabilities allow designers to collaborate with Canva's intelligent assistant by tagging it directly in design comments, creating an audit trail of AI interactions.

Data protection in visual collaboration

Canva's acquisition of Flourish brought sophisticated data visualisation capabilities into the platform, but it also introduced new security considerations.

When users integrate live data from enterprise systems into visual content, the attack surface expands significantly.

"What we've been trying to do at Canva is unlock data storytelling for everyone so that you can produce better data graphics that are designed to engage, be explored and be interactive," Duncan says.

This integration between data and design requires robust access controls and encryption.

Canva's enterprise deployment includes single sign-on capabilities, allowing organisations to manage user authentication through their existing identity providers.

Shared brand assets and governance controls ensure that sensitive templates and data connections remain within approved boundaries.

Enterprise security through 'dogfooding'

Duncan emphasises that Canva operates as what it calls 'customer zero', rigorously testing security controls and new capabilities internally before public release.

"We are big believers in dogfooding our own tools and we are always the first users of our products," he says.

"We heavily test them internally before we release them publicly and we take the feedback from our team incredibly seriously."

This internal-first approach provides valuable security benefits.

When Canva's own teams rely on the platform for sensitive communications and data visualisation, vulnerabilities are more likely to surface before they reach external customers.

Recent launches like the Affinity suite integrate professional-grade photo editing, illustration and layout tools inside Canva's broader Creative Operating System.

This consolidation reduces the number of third-party tools that employees might otherwise use, potentially decreasing an organisation's overall security risk.

The suite is anchored by Canva's foundational design AI model, which assembles entire editable compositions rather than static images.

From a security perspective, this means organisations can maintain version control and audit trails for AI-generated content, rather than dealing with disparate files from multiple sources.

As visual communication platforms become essential enterprise infrastructure, the security frameworks that protect them will prove just as important as the creative capabilities they enable.

For Canva, that means ensuring 95% of Fortune 500 companies can scale visual communications without compromising on security, compliance or control.