Security

At Anchor, security is fundamental to everything we do. We understand that you trust us with your marketing content and business data, and we take that responsibility seriously. This page outlines our security practices and measures.

1. Data Encryption

1.1 Encryption in Transit

All data transmitted between your device and our servers is encrypted using TLS 1.3 (Transport Layer Security). This ensures that your data cannot be intercepted or read by third parties during transmission.

• HTTPS enforced across all endpoints
• TLS 1.3 with strong cipher suites
• HTTP Strict Transport Security (HSTS) enabled
• Certificate transparency monitoring

1.2 Encryption at Rest

All data stored in our systems is encrypted at rest using AES-256 encryption, one of the strongest encryption standards available.

• AES-256 encryption for all stored data
• Encrypted database storage
• Encrypted file storage and backups
• Secure key management practices

2. Infrastructure Security

2.1 Cloud Infrastructure

Our infrastructure is hosted on enterprise-grade cloud platforms (Vercel and Supabase) that maintain rigorous security certifications and compliance standards:

• SOC 2 Type II certified infrastructure providers
• ISO 27001 certified data centres
• Physical security controls at data centre facilities
• Redundant systems for high availability
• Regular security assessments by providers

2.2 Network Security

• Web Application Firewall (WAF) protection
• DDoS mitigation capabilities
• Network segmentation and isolation
• Intrusion detection and prevention
• Regular vulnerability scanning

3. Application Security

3.1 Secure Development

We follow secure development practices throughout our software development lifecycle:

• Security-focused code reviews
• Dependency vulnerability scanning
• Static application security testing (SAST)
• Regular security updates and patching
• Secure coding guidelines and training

3.2 Authentication and Authorisation

• Secure password hashing (bcrypt)
• Session management with secure tokens
• Role-based access control (RBAC)
• Row-level security for data isolation
• Multi-tenant data separation
• Account lockout after failed attempts

3.3 API Security

• API authentication and authorisation
• Rate limiting to prevent abuse
• Input validation and sanitisation
• CORS policy enforcement
• API access logging and monitoring

4. Data Privacy and Isolation

4.1 Multi-Tenant Security

Our platform is designed with multi-tenancy in mind, ensuring your organisation's data is logically separated from other customers:

• Row-level security (RLS) policies in the database
• Organisation-scoped data access
• Strict access control between organisations
• Audit logging of all data access

4.2 Data Handling

• Minimal data collection principle
• Data retention policies and automatic deletion
• Secure data deletion procedures
• No selling of customer data to third parties

5. AI and Third-Party Security

5.1 AI Service Providers

We use reputable AI service providers (such as OpenRouter and Google) to power our compliance analysis. When your content is processed by these services:

• Data is transmitted securely via encrypted connections
• We have data processing agreements with providers
• Providers are contractually bound to protect your data
• We review provider security practices regularly

5.2 Third-Party Risk Management

• Security assessment of all third-party vendors
• Contractual security requirements
• Regular review of vendor security practices
• Minimal data sharing with third parties

6. Monitoring and Incident Response

6.1 Security Monitoring

• 24/7 automated security monitoring
• Real-time alerting for suspicious activity
• Comprehensive logging of security events
• Performance and error monitoring (Sentry)
• Regular log review and analysis

6.2 Incident Response

We maintain an incident response plan to ensure quick and effective response to security incidents:

• Documented incident response procedures
• Defined roles and responsibilities
• Communication protocols for affected parties
• Post-incident review and improvement

6.3 Breach Notification

In the event of a data breach affecting your personal information, we will notify you in accordance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth).

7. Employee Security

• Background checks for employees with data access
• Security awareness training for all team members
• Principle of least privilege for system access
• Regular access reviews and deprovisioning
• Secure workstation policies
• Confidentiality agreements

8. Business Continuity

• Regular automated backups
• Geographically distributed backup storage
• Disaster recovery procedures
• Regular backup restoration testing
• High availability architecture

9. Compliance

We are committed to meeting relevant compliance requirements:

• Privacy Act 1988 (Cth): Compliance with Australian Privacy Principles
• Notifiable Data Breaches: Compliance with NDB scheme requirements
• Industry Standards: Implementation of security best practices

10. Your Security Responsibilities

Security is a shared responsibility. We recommend you take the following steps to help protect your account:

• Use a strong, unique password for your Anchor account
• Do not share your account credentials with others
• Log out of shared or public devices
• Keep your devices and browsers up to date
• Be cautious of phishing attempts
• Review and manage your team members' access regularly
• Report any suspicious activity to our security team

11. Reporting Security Issues

If you discover a security vulnerability or have security concerns, please report them to us immediately. We appreciate responsible disclosure and will work with you to address any issues.

We are committed to investigating all reported vulnerabilities and will respond within 48 hours of receiving your report.

12. Contact Us

If you have questions about our security practices, please contact us: