Solutions Overview
Professional Enterprise Admin Features
Features Security Industries
Legal Healthcare Financial Government & AI
About Request a Quote
Security

Security & Compliance

Multi-layered encryption, zero text storage, GDPR compliance, and ISO 27001 certified infrastructure. Every design decision prioritizes data protection and EU data sovereignty.

TLS 1.3 + AES-256-GCM
GDPR Compliant
ISO 27001 Infrastructure
Zero Text Storage
EU Data Sovereignty
Cryptography

Encryption Layers

Data is protected at every stage with industry-standard and modern cryptographic algorithms. Each layer addresses a specific threat vector.

Data in Transit

TLS 1.3

All data transmitted between clients and servers is encrypted with TLS 1.3, the latest transport layer security protocol. Enforced on all connections with no fallback to older versions.

Data at Rest

AES-256-GCM

Stored data (account credentials, session metadata, token mappings) is encrypted with AES-256-GCM authenticated encryption. Provides both confidentiality and integrity verification.

Enterprise ZK Auth

XChaCha20-Poly1305

Enterprise zero-knowledge authentication uses XChaCha20-Poly1305 for client-side encryption of token mappings. The server never has access to decryption keys.

Key Derivation

Argon2id

Cryptographic keys are derived using Argon2id, the winner of the Password Hashing Competition. Memory-hard and resistant to GPU and ASIC attacks.

Key Recovery

BIP39 Recovery Phrase

Enterprise accounts receive a BIP39 mnemonic recovery phrase for key backup. The same standard used in cryptocurrency wallets for deterministic key recovery.

Data Handling

Zero Text Storage

Text submitted for anonymization is processed entirely in memory and immediately discarded after processing. No original text is ever written to disk, logged, or retained.

In-memory processing only

Immediately discarded after processing

No AI model training on submitted text

No third-party data sharing

No data transfer outside the EU

Access Control

Authentication

Multiple authentication methods with layered session security. The authentication model scales from Professional password-based to Enterprise zero-knowledge proof.

Authentication Methods

  • bcrypt — Password hashing for Professional tier accounts
  • Zero-Knowledge Proof — Enterprise tier authentication where the server never sees the password
  • OAuth 2.0 — Google and Microsoft single sign-on
  • 2FA TOTP — Time-based one-time passwords as a second factor

Session Security

  • GeoIP Session Management — Sessions are bound to geographic location; anomalous logins trigger re-authentication
  • Account Lockout — Automatic lockout after 5 consecutive failed authentication attempts
  • Secure Session Tokens — Cryptographically random tokens with configurable expiration
Regulatory

GDPR Compliance

Full GDPR compliance across both Professional and Enterprise tiers. The platform is designed from the ground up with Privacy by Design principles.

Privacy by Design

Data protection is embedded into the architecture from the earliest design stage, not added as an afterthought. Zero text storage is the default, not an option.

Professional Enterprise

DPIA

Data Protection Impact Assessment available for Enterprise deployments. Comprehensive risk analysis for high-risk processing activities involving personal data.

Enterprise

Data Processing Agreement

DPA available for all customers. Defines the scope and purpose of processing, sub-processor obligations, and data subject rights.

Professional Enterprise

Data Subject Rights

Full support for GDPR Articles 15 through 21: access, rectification, erasure, restriction, portability, and objection. 30-day response commitment for all requests.

Professional Enterprise
Standards

ISO 27001

Infrastructure operates on ISO 27001 certified hosting. The Enterprise tier includes a fully documented Information Security Management System.

Professional

86% Implemented

Professional infrastructure implements 86% of ISO 27001 controls. Hosted on Hetzner ISO 27001 certified data centers with inherited physical and environmental security controls.

  • ISO 27001 certified data center infrastructure
  • Inherited physical security controls
  • Network segmentation and access controls
  • Encrypted storage and transport
  • Automated security patching
Enterprise

Certified Infrastructure

Enterprise deployments run on fully ISO 27001 certified infrastructure with a documented ISMS covering all Annex A controls applicable to the anonymization service.

  • Full ISO 27001 certified infrastructure
  • Documented ISMS with 5 core policies
  • RBAC: Admin, Editor, User roles
  • Incident response with defined SLAs
  • Comprehensive audit logging
  • Annual review and continuous improvement
Enterprise

Information Security Management System

The Enterprise ISMS comprises five core policies, role-based access control, a tiered incident response framework, and comprehensive audit logging.

ISMS Policies

Policy ID Policy Name
ISMS-POL-001 Information Security Policy
ISMS-POL-002 Access Control Policy
ISMS-POL-003 Data Classification Policy
ISMS-POL-004 Incident Response Policy
ISMS-POL-005 Business Continuity Policy

Role-Based Access Control

Admin

Full system access. User management, configuration, audit log access, and incident response authority.

Editor

Content and workflow management. Can create and manage anonymization sessions, manage token mappings, and access team features.

User

Standard anonymization access. Can analyze and anonymize text, manage own sessions, and view own usage.

Incident Response SLAs

Priority Description Response Time
P1 — Critical Data breach, system compromise, or complete service outage < 1 hour
P2 — High Significant security vulnerability or major feature degradation < 4 hours
P3 — Medium Non-critical security issue or minor service impact < 24 hours
P4 — Low Informational security observation or improvement request < 72 hours

GDPR-mandated 72-hour breach notification to supervisory authorities for confirmed personal data breaches. Affected data subjects notified without undue delay when the breach is likely to result in a high risk to their rights and freedoms.

Audit Logging Retention

Auth Events

90 Days

Login attempts, session creation, authentication failures, password changes, and 2FA events.

Admin Actions

1 Year

User management, role changes, configuration modifications, and system administration events.

Security Events

1 Year

Incident records, access anomalies, policy violations, and security-relevant system events.

Application Security

OWASP Top 10 Protection

The application is hardened against the OWASP Top 10 web application security risks. HTTP security headers enforce strict browser-side protections.

Security Headers

Strict-Transport-Security
HSTS enforces HTTPS-only connections with a long max-age directive.
Content-Security-Policy
CSP restricts resource loading to explicitly allowed origins.
X-Frame-Options
Prevents clickjacking by blocking page embedding in iframes.
X-Content-Type-Options
Prevents MIME-type sniffing with nosniff directive.
Referrer-Policy
Controls referrer information sent with requests to protect user privacy.
Permissions-Policy
Restricts browser features (camera, microphone, geolocation) to prevent abuse.
Bot Mitigation

Bot Protection

All forms and authentication endpoints are protected by Google reCAPTCHA v3 with a 0.5 score threshold. reCAPTCHA v3 operates invisibly, scoring requests based on behavioral analysis without requiring user interaction.

reCAPTCHA v3 Score Threshold: 0.5 Invisible Behavioral Analysis

Security Questions?

Request a detailed security assessment or discuss specific compliance requirements for your organization.

Request a Quote View Infrastructure