Security
Anthropon is built with security as a foundation, not an afterthought. Enterprise-grade protection for every company, regardless of size.
All data encrypted at rest using AES-256 and in transit using TLS 1.3. Database connections use encrypted channels. Sensitive fields like SSN and bank details receive additional field-level encryption.
Each organization's data is logically isolated at the database level. Row-level security policies ensure one tenant can never access another's data, even in the event of application bugs.
TOTP-based MFA for all user accounts. Admins can enforce MFA organization-wide. Compatible with Google Authenticator, Authy, 1Password, and other TOTP apps.
Four configurable roles — HR Admin, Manager, Employee, and IT Admin — each with granular permissions. Users only see the data and actions relevant to their role.
Every action is logged with user identity, timestamp, IP address, and the details of the change. Audit logs are immutable and retained according to your data retention policy.
Automatic session expiry, secure HTTP-only cookies, and the ability to revoke all active sessions. Admins can force logout for any user in their organization.
A closer look at how we protect your data across every layer of the stack.
Deployed on industry-leading cloud infrastructure with SOC 2 Type II certification. All servers run in private subnets with no direct internet access.
Web Application Firewall (WAF), DDoS protection, rate limiting, and IP-based access controls. All internal communications use encrypted channels.
Automated daily backups with point-in-time recovery. Backups are encrypted and stored in a separate geographical region. Tested regularly.
24/7 infrastructure monitoring with Prometheus and Alertmanager. Automated alerting for anomalies, errors, and security events.
All inputs validated and sanitized server-side using Zod schemas. Protection against SQL injection, XSS, and CSRF attacks.
Secure password hashing with bcrypt (cost factor 12). Email verification required. Account lockout after failed attempts. Session tokens rotated regularly.
All uploaded files scanned for viruses and malware before storage. File type validation, size limits, and content-type verification.
Rate limiting on all endpoints. API key authentication for programmatic access. CORS properly configured. Request logging for forensic analysis.
Anthropon is built with SOC 2 Type II controls in mind. We are actively pursuing certification and expect to complete our audit in 2026.
Data minimization, right to erasure, data portability, and consent management. We process data in accordance with GDPR principles and can sign DPAs.
Configurable data retention policies. Automated purging of deleted records after the retention period. Export your data at any time in standard formats.
Regular dependency scanning, OWASP ZAP security testing, and penetration testing. Responsible disclosure program for security researchers.
Your employee data belongs to you. We never sell, share, or use it for advertising. Period.
Our team uses least-privilege access. Only a small number of senior engineers can access production data, and all access is logged.
In the unlikely event of a security incident, we commit to notifying affected customers within 72 hours with a full incident report.
Export all your data at any time in CSV or JSON format. No vendor lock-in. If you leave Anthropon, your data goes with you.
We welcome security researchers. Report vulnerabilities to security@anthropon.com and we'll respond within 48 hours.
Our team is happy to discuss our security practices in detail. Reach out to schedule a security review call.