Security Policy

Effective Date: January 1st, 2026

Last Updated Date: January 1st, 2026

Anchorbase maintains appropriate technical and organisational measures to protect Customer Personal Data, including the measures described below. These measures are designed to ensure the security, confidentiality, integrity, and availability of the data processed in connection with the Services.

1. Data & Security Commitments

Data Isolation: Each user’s documents are strictly segregated. The retrieval-augmented generation (RAG) system only retrieves and processes documents uploaded by that specific user, with filtering enforced at the database level.
In transit: All data is encrypted via TLS/HTTPS.
At rest: Documents and metadata are protected with AES-256 encryption.
Access control: Secure JWT-based authentication is used.
No AI Training on Customer Data: The Services use enterprise APIs from Google (Gemini) and xAI (Grok). Under these agreements, Customer data is not used to train or improve any models. Processing is limited to generating responses.
Data Ownership and Deletion: Customer retains 100% ownership of all uploaded documents and generated outputs. Customer may request full deletion at any time via the app, which triggers a hard delete across all systems (removing PDFs from storage, embeddings from vector databases, and metadata from databases). No residual data is retained in active systems.

2. Approved Subprocessors The following sub-processors are used to deliver the Services. All sub-processors are bound by written agreements that impose data protection obligations.

Subprocessor	Country / Region of Location	Anticipated Processing Task
Cloudflare R2	US	Document storage (at rest, AES-256 encrypted)
Supabase	US East - Ohio	PostgreSQL database - Metadata and database
Pinecone	US East - Virginia	Vector embeddings for RAG search
Google (Gemini Enterprise API)	US	Search LLM, OCR, embeddings (enterprise terms prohibit training on customer data)
xAI (Grok API)	US	Primary LLM (enterprise terms prohibit training on customer data)
Posthog	US	Product analytics, usage tracking, session replay, feature flags, and error monitoring
Fly.io	US East - Virginia	App hosting (backend + frontend)
Resend	US	Transactional email
Sentry	US	Error tracking

3. Additional Security Measures Anchorbase implements industry-standard controls including (but not limited to) encryption, access controls, regular security updates, and monitoring.