Security

Anchord is designed with security and data isolation as foundational principles. This page describes what we store, how we protect it, and what we explicitly do not do.

Read-only by design

Anchord never writes back to your external systems. The guard/write endpoint is evaluation-only — it returns allowed: true or allowed: false with specific block codes, but the caller executes any actual write. This eliminates an entire class of risk — Anchord cannot corrupt, overwrite, or duplicate data in your CRM, database, or any connected system.

What we store

Anchord stores the data you explicitly send it:

  • Source record payloads — the JSON objects you ingest via the API or through connected integrations (Salesforce, HubSpot, Stripe).
  • Canonical entities — resolved identities created by the matching engine.
  • Entity links — associations between source records and canonical entities.
  • Audit logs — structured events for sensitive operations (merges, key creation/revocation, impersonation, disconnects, purges).
  • Account data — name, email, company name, hashed password, hashed API keys.

We do not store raw OAuth access tokens in the application database. Integration credentials are held in a separate secrets vault (see below).

Encryption

Layer Mechanism
At rest AES-256 via AWS RDS encryption (PostgreSQL). EBS volumes encrypted.
In transit TLS 1.2+ enforced on all connections — API, console, database (SSL required).
Secrets storage OAuth tokens and integration credentials stored in AWS Secrets Manager with app-level encryption via SecretsVault. Never stored in the application database.
API keys Hashed with HMAC-SHA256 + server-side pepper before storage. Plaintext shown once at creation and never retrievable.

Tenant isolation

Every tenant's data is logically isolated at the application level. All database queries are automatically scoped to the authenticated tenant via global query scopes. Cross-tenant data access is architecturally prevented — there is no API or UI path that surfaces another tenant's records.

Platform admin operations (used only by the Anchord team) bypass tenant scoping with explicit scope overrides and are restricted to authenticated platform admin accounts.

Logging & redaction

Every API request is assigned a unique request_id for traceability. Sensitive values are redacted from logs:

  • Authorization headers and Bearer tokens are never logged.
  • API key plaintext is never persisted beyond the initial creation response.
  • OAuth tokens and refresh tokens are not included in application logs or error reports.
  • Request payloads containing customer data are not logged at the info level in production.

Infrastructure

Hosted on AWS with private subnets, managed RDS (PostgreSQL with SSL required), and ECS/Fargate for compute isolation. No SSH access to production containers. Secrets are managed via AWS Secrets Manager and injected at runtime.

Audit logging

Sensitive operations generate structured audit events, including: entity merges, admin impersonation, API key creation and revocation, integration connect/disconnect, data purges, and tenant disables. Each event records the actor, action, timestamp, and request ID.

Questions or concerns?

For security inquiries or to report a vulnerability, contact us at security@anchord.ai.

See also: Privacy Policy · Terms of Service