canva-data-handling
Implement Canva Connect API data handling, PII protection, and GDPR/CCPA compliance. Use when handling user design data, implementing data retention policies, or ensuring privacy compliance for Canva integrations. Trigger with phrases like "canva data", "canva PII", "canva GDPR", "canva data retention", "canva privacy", "canva CCPA".
Best use case
canva-data-handling is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Implement Canva Connect API data handling, PII protection, and GDPR/CCPA compliance. Use when handling user design data, implementing data retention policies, or ensuring privacy compliance for Canva integrations. Trigger with phrases like "canva data", "canva PII", "canva GDPR", "canva data retention", "canva privacy", "canva CCPA".
Teams using canva-data-handling should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/canva-data-handling/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How canva-data-handling Compares
| Feature / Agent | canva-data-handling | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Implement Canva Connect API data handling, PII protection, and GDPR/CCPA compliance. Use when handling user design data, implementing data retention policies, or ensuring privacy compliance for Canva integrations. Trigger with phrases like "canva data", "canva PII", "canva GDPR", "canva data retention", "canva privacy", "canva CCPA".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Canva Data Handling
## Overview
Handle Canva Connect API data responsibly. The API exposes user identifiers, design metadata, design content (via exports), uploaded assets, and comments. Apply proper classification, retention, and privacy controls.
## Data Classification — Canva API Responses
| Data Type | Source Endpoint | Sensitivity | Handling |
|-----------|----------------|-------------|----------|
| User ID, Team ID | `GET /v1/users/me` | Internal | Don't expose externally |
| User profile | `GET /v1/users/me/profile` | PII | Encrypt at rest, minimize |
| Design metadata | `GET /v1/designs` | Business | Standard protection |
| Design content | Export URLs from `/v1/exports` | Confidential | Time-limited URLs, don't cache |
| OAuth tokens | `/v1/oauth/token` | Secret | Encrypt, never log |
| Asset files | `/v1/asset-uploads` | Business | Validate, scan for malware |
| Comments | `/v1/designs/{id}/comment_threads` | PII | May contain personal data |
| Webhook payloads | Incoming POST | Mixed | Verify signature first |
## Token Protection
```typescript
// NEVER log tokens — they grant full access to a user's Canva account
function redactCanvaData(data: any): any {
const sensitiveKeys = [
'access_token', 'refresh_token', 'authorization',
'client_secret', 'code_verifier',
];
if (typeof data !== 'object' || data === null) return data;
const redacted = Array.isArray(data) ? [...data] : { ...data };
for (const key of Object.keys(redacted)) {
if (sensitiveKeys.includes(key.toLowerCase())) {
redacted[key] = '[REDACTED]';
} else if (typeof redacted[key] === 'object') {
redacted[key] = redactCanvaData(redacted[key]);
}
}
return redacted;
}
// Safe logging
console.log('Canva response:', JSON.stringify(redactCanvaData(apiResponse)));
```
## Temporary URL Handling
Canva API responses include URLs with limited lifetimes. Never cache beyond expiry.
```typescript
interface CanvaUrlPolicy {
type: string;
ttl: number; // milliseconds
cacheable: boolean;
}
const URL_POLICIES: Record<string, CanvaUrlPolicy> = {
thumbnail: { type: 'thumbnail', ttl: 15 * 60 * 1000, cacheable: false }, // 15 min
edit_url: { type: 'edit_url', ttl: 30 * 24 * 60 * 60 * 1000, cacheable: true }, // 30 days
view_url: { type: 'view_url', ttl: 30 * 24 * 60 * 60 * 1000, cacheable: true }, // 30 days
export_url: { type: 'export_url', ttl: 24 * 60 * 60 * 1000, cacheable: false }, // 24 hours
};
// Track URL expiry
class CanvaUrlTracker {
private urls = new Map<string, { url: string; expiresAt: number }>();
store(id: string, type: string, url: string): void {
const policy = URL_POLICIES[type];
this.urls.set(`${id}:${type}`, {
url,
expiresAt: Date.now() + (policy?.ttl || 0),
});
}
get(id: string, type: string): string | null {
const entry = this.urls.get(`${id}:${type}`);
if (!entry || Date.now() > entry.expiresAt) return null;
return entry.url;
}
}
```
## Data Retention
| Data Type | Retention | Reason |
|-----------|-----------|--------|
| OAuth tokens | Until user disconnects | Active session |
| Design metadata (cached) | 5-60 minutes | Performance cache |
| Export download URLs | Max 24 hours | Canva-enforced expiry |
| API request logs | 30 days | Debugging |
| Error logs | 90 days | Root cause analysis |
| Audit logs | 7 years | Compliance |
| Webhook events | 30 days | Processing/replay |
### Automatic Cleanup
```typescript
async function cleanupCanvaData(): Promise<void> {
const now = Date.now();
// Remove expired export URLs
await db.exportUrls.deleteMany({ expiresAt: { $lt: new Date(now) } });
// Remove old API logs
const thirtyDaysAgo = new Date(now - 30 * 24 * 60 * 60 * 1000);
await db.canvaApiLogs.deleteMany({
createdAt: { $lt: thirtyDaysAgo },
type: { $nin: ['audit'] },
});
// Remove tokens for deleted/inactive users
await db.canvaTokens.deleteMany({ userId: { $in: await getDeletedUserIds() } });
}
```
## GDPR/CCPA Compliance
### Data Subject Access Request
```typescript
async function exportCanvaUserData(userId: string): Promise<object> {
const tokens = await tokenStore.get(userId);
return {
source: 'Canva Connect API',
exportedAt: new Date().toISOString(),
data: {
identity: tokens ? await canvaAPI('/users/me', tokens.accessToken) : null,
hasActiveConnection: !!tokens,
// Note: Canva stores the user's designs — their data is in Canva's system
// Your app only stores: tokens, cached metadata, and integration state
},
};
}
```
### Right to Deletion
```typescript
async function deleteCanvaUserData(userId: string): Promise<void> {
// 1. Revoke tokens (disconnects from Canva)
const tokens = await tokenStore.get(userId);
if (tokens) {
await revokeCanvaToken(tokens.accessToken, clientId, clientSecret);
}
// 2. Delete stored tokens
await tokenStore.delete(userId);
// 3. Clear cached design metadata
await cache.deletePattern(`canva:user:${userId}:*`);
// 4. Audit log (required — do not delete)
await auditLog.record({
action: 'GDPR_DELETION',
userId,
service: 'canva',
timestamp: new Date(),
});
}
```
## Error Handling
| Issue | Cause | Solution |
|-------|-------|----------|
| Token in logs | Missing redaction | Wrap all logging with redactCanvaData |
| Expired URL served | No expiry tracking | Use CanvaUrlTracker |
| DSAR incomplete | Missing data inventory | Document all Canva data stored |
| Orphaned tokens | User deleted without cleanup | Run periodic cleanup job |
## Resources
- [Canva Privacy Policy](https://www.canva.com/policies/privacy-policy/)
- [GDPR Developer Guide](https://gdpr.eu/developers/)
- [Canva API Reference](https://www.canva.dev/docs/connect/api-reference/)
## Next Steps
For enterprise access control, see `canva-enterprise-rbac`.Related Skills
College Football Data (CFB)
Before writing queries, consult `references/api-reference.md` for endpoints, conference IDs, team IDs, and data shapes.
College Basketball Data (CBB)
Before writing queries, consult `references/api-reference.md` for endpoints, conference IDs, team IDs, and data shapes.
validating-database-integrity
Process use when you need to ensure database integrity through comprehensive data validation. This skill validates data types, ranges, formats, referential integrity, and business rules. Trigger with phrases like "validate database data", "implement data validation rules", "enforce data integrity constraints", or "validate data formats".
forecasting-time-series-data
This skill enables Claude to forecast future values based on historical time series data. It analyzes time-dependent data to identify trends, seasonality, and other patterns. Use this skill when the user asks to predict future values of a time series, analyze trends in data over time, or requires insights into time-dependent data. Trigger terms include "forecast," "predict," "time series analysis," "future values," and requests involving temporal data.
generating-test-data
This skill enables Claude to generate realistic test data for software development. It uses the test-data-generator plugin to create users, products, orders, and custom schemas for comprehensive testing. Use this skill when you need to populate databases, simulate user behavior, or create fixtures for automated tests. Trigger phrases include "generate test data", "create fake users", "populate database", "generate product data", "create test orders", or "generate data based on schema". This skill is especially useful for populating testing environments or creating sample data for demonstrations.
test-data-builder
Test Data Builder - Auto-activating skill for Test Automation. Triggers on: test data builder, test data builder Part of the Test Automation skill category.
splitting-datasets
Process split datasets into training, validation, and testing sets for ML model development. Use when requesting "split dataset", "train-test split", or "data partitioning". Trigger with relevant phrases based on skill purpose.
scanning-database-security
Process use when you need to work with security and compliance. This skill provides security scanning and vulnerability detection with comprehensive guidance and automation. Trigger with phrases like "scan for vulnerabilities", "implement security controls", or "audit security".
preprocessing-data-with-automated-pipelines
Process automate data cleaning, transformation, and validation for ML tasks. Use when requesting "preprocess data", "clean data", "ETL pipeline", or "data transformation". Trigger with relevant phrases based on skill purpose.
optimizing-database-connection-pooling
Process use when you need to work with connection management. This skill provides connection pooling and management with comprehensive guidance and automation. Trigger with phrases like "manage connections", "configure pooling", or "optimize connection usage".
modeling-nosql-data
This skill enables Claude to design NoSQL data models. It activates when the user requests assistance with NoSQL database design, including schema creation, data modeling for MongoDB or DynamoDB, or defining document structures. Use this skill when the user mentions "NoSQL data model", "design MongoDB schema", "create DynamoDB table", or similar phrases related to NoSQL database architecture. It assists in understanding NoSQL modeling principles like embedding vs. referencing, access pattern optimization, and sharding key selection.
monitoring-database-transactions
Monitor use when you need to work with monitoring and observability. This skill provides health monitoring and alerting with comprehensive guidance and automation. Trigger with phrases like "monitor system health", "set up alerts", or "track metrics".