Security & Privacy
Last updated: June 2026
Security and data privacy are built into Anthyx's architecture — not bolted on as an afterthought. This article explains how we protect your data, what isolation guarantees apply between tenants, and where we stand on compliance certifications.
Encryption
All data stored by Anthyx is encrypted at rest using AES-256-GCM. This includes social account credentials (OAuth tokens), form responses, brand context, and analytics data. Encryption keys are managed through a dedicated key management service and are rotated quarterly. All data in transit is encrypted via TLS 1.3 — plain HTTP requests are automatically redirected to HTTPS.
Tenant isolation
Anthyx is a multi-tenant SaaS platform. Each workspace is logically isolated: your data is never accessible to another workspace's API calls. Brand context, embeddings, and semantic search indexes are stored in Qdrant with strict per-tenant namespace isolation — a query run in Workspace A cannot retrieve vectors belonging to Workspace B, even in the event of an application bug. This is enforced at the vector database level, not only in application code.
Infrastructure and data residency
Anthyx runs on infrastructure hosted in the United States (us-east-1). Your data, including all social content, analytics, brand context, and form responses, is stored and processed in the US. If your organisation requires EU data residency, contact support@useanthyx.com — we can discuss options for Enterprise customers.
Authentication and access control
- Passwords — hashed with bcrypt (cost factor 12). Anthyx never stores plaintext passwords.
- SSO / Social login — sign in with Google is available on all plans. SAML SSO for enterprise identity providers (Okta, Azure AD) is available on Agency and above.
- Two-factor authentication (2FA) — enable TOTP-based 2FA under Settings → Security → Two-factor authentication. Workspace Owners can require 2FA for all members.
- Session management — active sessions are listed under Settings → Security → Sessions. You can revoke any individual session or all sessions except the current one.
SOC 2 status
Anthyx is currently pursuing SOC 2 Type II certification. Our controls audit commenced in Q1 2026 and we expect to receive the report in Q4 2026. Customers on Agency and Enterprise plans can request our current security documentation package (policies, controls summary, and penetration test summary) by emailing security@useanthyx.com.
Vulnerability disclosure
If you discover a security vulnerability, please email security@useanthyx.com. We aim to acknowledge all reports within 24 hours and provide an initial assessment within 72 hours. We do not currently offer a bug bounty programme, but we acknowledge researchers in our changelog with their permission.
Related articles
Still stuck? Email support