Security at Anchor Insight

• Encryption at Rest

  All data is encrypted at rest. Railway-managed PostgreSQL databases use AES-256 encryption. Cloudflare R2 object storage applies server-side encryption to all stored files.

• Encryption in Transit

  All data transmitted between your devices and our servers uses TLS 1.2 or higher encryption. This includes all API calls, Slack integrations, and web sessions.

• PII Minimization

  We minimize personal data collection. Slack user IDs are used as primary identifiers rather than email addresses where possible. Email addresses are hashed for cross-reference use.

• Role-Based Access Control (RBAC)

  Access to data and features is controlled based on user roles. Users only have access to data necessary for their function.

• Multi-Factor Authentication (Keycloak)

  Authentication is handled through Keycloak (id.anchorcybersecurity.com, anchor-platform realm) using OAuth 2.0 Authorization Code Flow. TOTP multi-factor authentication is enforced on first login for all users. Password policy requires argon2 hashing with a minimum of 14 characters including uppercase, lowercase, digits, and special characters. Brute-force detection is enabled.

• Audit Logging

  All significant actions are logged in an append-only audit trail including timestamps, user IDs, IP addresses, and action details. Logs are retained for 12 months.

• Session Security

  Sessions use HTTP-only, Secure, SameSite=Strict cookies. Configurable session timeout and idle timeout per organization. Account lockout after repeated failed authentication attempts.

• Railway — Application Hosting

  The platform is deployed on Railway (US region) with containerized deployments, automatic restarts, and isolated runtime environments.

• Railway PostgreSQL — Database

  All application data is stored in Railway-managed PostgreSQL with encryption at rest, automated backups, and connection encryption.

• Cloudflare R2 — File Storage

  Vendor documents and compliance exports are stored in Cloudflare R2 with server-side encryption. Files are accessed via time-limited presigned URLs and never exposed directly.

• Cloudflare — CDN & DDoS Protection

  All traffic is routed through Cloudflare's network for DDoS mitigation, WAF protection, and TLS termination.

• CSRF Protection

  All state-changing requests require a validated CSRF token.

• Rate Limiting

  Authentication, API, and billing endpoints are rate-limited to prevent brute-force and abuse.

• Slack Integration Security

  All Slack event payloads are verified using HMAC signing secrets. The platform only requests the minimum Slack OAuth scopes required.

• AI Processing

  AI features are powered by Anthropic's Claude API. Uploaded content processed by the AI is not retained by Anthropic beyond the request.

Anchor Insight helps organizations meet security awareness training requirements for various compliance frameworks:

Note: Anchor Insight provides training content and evidence collection to support your compliance efforts. Compliance certification is the responsibility of each organization.

We support GDPR and CCPA data subject rights:

• Right to Access: Request a copy of your personal data
• Right to Deletion: Request deletion of your personal data
• Right to Portability: Export your data in a machine-readable format

To exercise these rights, contact your organization administrator or email privacy@anchorcybersecurity.com

Found a security issue? Please report it to security@anchorcybersecurity.com. We ask that you:

• Do not access other users' data beyond what is necessary to demonstrate the issue
• Allow us reasonable time to investigate and remediate before public disclosure
• Include reproduction steps and estimated impact in your report

We will acknowledge receipt within 2 business days.