Agent Skills: Canva Data Handling

Canva Data Handling

Overview

Handle Canva Connect API data responsibly. The API exposes user identifiers, design metadata, design content (via exports), uploaded assets, and comments. Apply proper classification, retention, and privacy controls.

Data Classification — Canva API Responses

| Data Type | Source Endpoint | Sensitivity | Handling | |-----------|----------------|-------------|----------| | User ID, Team ID | GET /v1/users/me | Internal | Don't expose externally | | User profile | GET /v1/users/me/profile | PII | Encrypt at rest, minimize | | Design metadata | GET /v1/designs | Business | Standard protection | | Design content | Export URLs from /v1/exports | Confidential | Time-limited URLs, don't cache | | OAuth tokens | /v1/oauth/token | Secret | Encrypt, never log | | Asset files | /v1/asset-uploads | Business | Validate, scan for malware | | Comments | /v1/designs/{id}/comment_threads | PII | May contain personal data | | Webhook payloads | Incoming POST | Mixed | Verify signature first |

Token Protection

// NEVER log tokens — they grant full access to a user's Canva account
function redactCanvaData(data: any): any {
  const sensitiveKeys = [
    'access_token', 'refresh_token', 'authorization',
    'client_secret', 'code_verifier',
  ];

  if (typeof data !== 'object' || data === null) return data;

  const redacted = Array.isArray(data) ? [...data] : { ...data };
  for (const key of Object.keys(redacted)) {
    if (sensitiveKeys.includes(key.toLowerCase())) {
      redacted[key] = '[REDACTED]';
    } else if (typeof redacted[key] === 'object') {
      redacted[key] = redactCanvaData(redacted[key]);
    }
  }
  return redacted;
}

// Safe logging
console.log('Canva response:', JSON.stringify(redactCanvaData(apiResponse)));

Temporary URL Handling

Canva API responses include URLs with limited lifetimes. Never cache beyond expiry.

interface CanvaUrlPolicy {
  type: string;
  ttl: number;        // milliseconds
  cacheable: boolean;
}

const URL_POLICIES: Record<string, CanvaUrlPolicy> = {
  thumbnail:  { type: 'thumbnail',  ttl: 15 * 60 * 1000,      cacheable: false }, // 15 min
  edit_url:   { type: 'edit_url',   ttl: 30 * 24 * 60 * 60 * 1000, cacheable: true }, // 30 days
  view_url:   { type: 'view_url',   ttl: 30 * 24 * 60 * 60 * 1000, cacheable: true }, // 30 days
  export_url: { type: 'export_url', ttl: 24 * 60 * 60 * 1000, cacheable: false }, // 24 hours
};

// Track URL expiry
class CanvaUrlTracker {
  private urls = new Map<string, { url: string; expiresAt: number }>();

  store(id: string, type: string, url: string): void {
    const policy = URL_POLICIES[type];
    this.urls.set(`${id}:${type}`, {
      url,
      expiresAt: Date.now() + (policy?.ttl || 0),
    });
  }

  get(id: string, type: string): string | null {
    const entry = this.urls.get(`${id}:${type}`);
    if (!entry || Date.now() > entry.expiresAt) return null;
    return entry.url;
  }
}

Data Retention

| Data Type | Retention | Reason | |-----------|-----------|--------| | OAuth tokens | Until user disconnects | Active session | | Design metadata (cached) | 5-60 minutes | Performance cache | | Export download URLs | Max 24 hours | Canva-enforced expiry | | API request logs | 30 days | Debugging | | Error logs | 90 days | Root cause analysis | | Audit logs | 7 years | Compliance | | Webhook events | 30 days | Processing/replay |

Automatic Cleanup

async function cleanupCanvaData(): Promise<void> {
  const now = Date.now();

  // Remove expired export URLs
  await db.exportUrls.deleteMany({ expiresAt: { $lt: new Date(now) } });

  // Remove old API logs
  const thirtyDaysAgo = new Date(now - 30 * 24 * 60 * 60 * 1000);
  await db.canvaApiLogs.deleteMany({
    createdAt: { $lt: thirtyDaysAgo },
    type: { $nin: ['audit'] },
  });

  // Remove tokens for deleted/inactive users
  await db.canvaTokens.deleteMany({ userId: { $in: await getDeletedUserIds() } });
}

GDPR/CCPA Compliance

Data Subject Access Request

async function exportCanvaUserData(userId: string): Promise<object> {
  const tokens = await tokenStore.get(userId);

  return {
    source: 'Canva Connect API',
    exportedAt: new Date().toISOString(),
    data: {
      identity: tokens ? await canvaAPI('/users/me', tokens.accessToken) : null,
      hasActiveConnection: !!tokens,
      // Note: Canva stores the user's designs — their data is in Canva's system
      // Your app only stores: tokens, cached metadata, and integration state
    },
  };
}

Right to Deletion

async function deleteCanvaUserData(userId: string): Promise<void> {
  // 1. Revoke tokens (disconnects from Canva)
  const tokens = await tokenStore.get(userId);
  if (tokens) {
    await revokeCanvaToken(tokens.accessToken, clientId, clientSecret);
  }

  // 2. Delete stored tokens
  await tokenStore.delete(userId);

  // 3. Clear cached design metadata
  await cache.deletePattern(`canva:user:${userId}:*`);

  // 4. Audit log (required — do not delete)
  await auditLog.record({
    action: 'GDPR_DELETION',
    userId,
    service: 'canva',
    timestamp: new Date(),
  });
}

Error Handling

| Issue | Cause | Solution | |-------|-------|----------| | Token in logs | Missing redaction | Wrap all logging with redactCanvaData | | Expired URL served | No expiry tracking | Use CanvaUrlTracker | | DSAR incomplete | Missing data inventory | Document all Canva data stored | | Orphaned tokens | User deleted without cleanup | Run periodic cleanup job |

Resources

• Canva Privacy Policy
• GDPR Developer Guide
• Canva API Reference

Next Steps

For enterprise access control, see canva-enterprise-rbac.