Legal · Security

Security at Anker.

Funds and founders use Anker to hold sensitive material — pitch decks, LP letters, cap tables, capital calls. Here's how we protect it.

Practices

Six controls that matter most.

Encryption everywhere

TLS 1.3 in transit. AES-256 at rest. Database connections encrypted end-to-end via Neon's HTTP serverless driver. Backups encrypted with separate keys.

Least-privilege access

Production credentials are scoped per-service. Engineering team access is reviewed quarterly. No shared accounts. All admin operations are audit-logged.

Audit logging

Every admin action, login attempt, API key change, and bulk export is recorded with a timestamp + actor + IP. Logs retained 18 months.

Data isolation

Multi-tenant by row-level scoping. LP portal queries are double-checked against the LP's email-derived memberships on every request — no client-side trust.

Backups & retention

Continuous WAL backups via Neon, with point-in-time recovery up to 7 days. Weekly snapshots retained 90 days. Account-level export available on request.

Secrets management

API keys (AI providers, news sources, Resend) live in encrypted environment variables. Per-tenant overrides stored in system_settings — never in source.

Responsible disclosure

Find a vulnerability?

Email security@an-ker.de with a description and steps to reproduce. We acknowledge within 48 hours and aim to resolve material issues within 30 days. We won't pursue legal action against researchers acting in good faith.

  • · Do not exfiltrate data — a single proof-of-access is enough
  • · Do not access other users' accounts without explicit permission
  • · Do not perform DoS or social engineering
  • · Give us a reasonable window to fix before public disclosure
Incident response

If a breach happens.

We follow a written incident-response playbook: contain, investigate, notify within 72 hours where personal data is involved, remediate, and publish a post-mortem. Affected customers receive a direct email with the scope, timeline, and remediation steps.

Questions?

Security reviews, SOC 2 questionnaires, custom DPAs — email security@an-ker.de.