anonymize.today - Security Overview

Classification: PUBLIC

Overview

Security is fundamental to anonymize.today. We implement comprehensive security measures to protect your data and ensure the privacy of all information processed through our platform. This document provides an overview of our security practices without revealing sensitive implementation details.

---

Encryption

Data in Transit

• TLS 1.3: All data transmitted between your browser and our servers uses TLS 1.3 encryption
• HTTPS Only: All connections are encrypted and secure
• Certificate: Let's Encrypt SSL certificate with automatic renewal
• Security Headers: HSTS (HTTP Strict Transport Security) ensures encrypted connections

Data at Rest

• AES-256-GCM: Industry-standard encryption for sensitive data
• Encrypted Storage: All sensitive data stored with encryption
• Key Management: Secure key storage and management
• Database Encryption: Sensitive database fields encrypted

---

Authentication & Access Control

Authentication Methods

• Password-Based: Strong password requirements (12+ characters, mixed case, numbers, symbols)
• Two-Factor Authentication (2FA): Optional 2FA via authenticator app or email
• JWT Tokens: Secure, time-limited authentication tokens
• Session Management: Device tracking and session revocation

Password Security

• Password Hashing: bcrypt with appropriate cost factors
• Password History: Prevents reuse of last 3 passwords
• Account Lockout: Automatic lockout after 5 failed login attempts (30-minute lockout)
• Password Reset: Secure token-based reset with SHA-256 hashing, 1-hour expiry

Access Control

• Role-Based Access Control (RBAC): Admin, Editor, User roles
• Plan-Based Feature Gating: Features accessible based on subscription plan
• API Token Management: Secure API token generation and revocation
• Session Validation: Middleware checks session validity on every request

---

Bot Protection

reCAPTCHA v3

• Invisible Protection: Google reCAPTCHA v3 on signup and password reset forms
• Score-Based: Intelligent risk assessment (0.0-1.0 scale)
• No User Interaction: Seamless experience with no CAPTCHA challenges
• Server-Side Verification: All tokens verified server-side

---

Compliance & Certifications

ISO 27001:2022

• Compliance Status: 86% implemented
• Information Security Management System (ISMS): Comprehensive security framework
• Regular Audits: Ongoing security assessments and improvements
• Documentation: Complete security policies and procedures

GDPR Compliance

• Data Protection: Comprehensive data protection measures
• Data Subject Rights: Access, erasure, portability, and rectification
• Data Processing Agreements: Compliant data processing
• Breach Notification: Procedures for data breach notification
• Data Export: Self-service data export (GDPR Article 20)

Other Standards

• OWASP Top 10: Protection against common web vulnerabilities
• SOC 2 Type II Principles: Security, availability, and confidentiality principles

---

Data Protection Measures

Data Processing

• No Data Storage: Your text is processed in real-time and not stored
• Metadata Only: Only usage statistics and token transactions are stored
• Anonymization: All PII is anonymized according to your specifications
• Secure Processing: All processing occurs in secure, isolated environments

Data Retention

• Minimal Retention: Only necessary metadata retained
• User Data: Retained per your account lifecycle
• Audit Logs: Retained for compliance and security purposes
• Deletion: Data deletion upon account closure (subject to legal requirements)

Data Sharing

• No Third-Party Sharing: We do not share your data with third parties
• Service Providers: Only essential service providers with strict data protection agreements
• Legal Requirements: Data sharing only when legally required

---

Security Headers

We implement comprehensive security headers:

• Strict-Transport-Security (HSTS): Forces HTTPS connections
• Content-Security-Policy (CSP): Prevents XSS attacks
• X-Frame-Options: Prevents clickjacking
• X-Content-Type-Options: Prevents MIME-type sniffing
• X-XSS-Protection: Additional XSS protection
• Referrer-Policy: Controls referrer information
• Permissions-Policy: Controls browser features

---

Audit Logging

Comprehensive Logging

• All Operations: All security-relevant operations logged
• Authentication Events: Login attempts, password changes, 2FA changes
• Access Events: API access, feature usage
• Payment Events: All payment transactions logged
• Admin Actions: All administrative actions logged

Log Retention

• Compliance: Logs retained per compliance requirements
• Security: Security logs retained for incident investigation
• Access: Logs accessible only to authorized personnel

---

Security Best Practices

For Users

• ✅ Use strong, unique passwords
• ✅ Enable two-factor authentication
• ✅ Regularly review active sessions
• ✅ Use secure networks when accessing the platform
• ✅ Report suspicious activity immediately

Platform Practices

• ✅ Regular security updates and patches
• ✅ Vulnerability scanning and assessment
• ✅ Penetration testing
• ✅ Security awareness training
• ✅ Incident response procedures

---

Incident Response

Response Procedures

• Detection: Automated monitoring and alerting
• Response Time: Target response within 24 hours
• Communication: Transparent communication with affected users
• Remediation: Swift remediation of security issues
• Post-Incident: Comprehensive post-incident review

Reporting Security Issues

If you discover a security vulnerability:

1. Do not disclose publicly
2. Contact us immediately with details
3. We will investigate and respond promptly
4. Responsible disclosure is appreciated

---

Security Updates

We continuously improve our security posture:

• Regular Updates: Security updates applied promptly
• Vulnerability Management: Proactive vulnerability scanning and patching
• Security Reviews: Regular security architecture reviews
• Compliance Audits: Ongoing compliance assessments

---

Privacy Commitments

Your Privacy

• Data Minimization: We collect only necessary data
• Purpose Limitation: Data used only for stated purposes
• Transparency: Clear privacy policies and practices
• User Control: You control your data and can export or delete it

Our Commitments

• No Data Selling: We never sell your data
• No Unauthorized Access: Strict access controls
• Confidentiality: All data treated as confidential
• Compliance: Full compliance with applicable privacy laws

---

Additional Resources

• Compliance Overview - Detailed compliance information
• GDPR Compliance - GDPR compliance details
• ISO 27001 Documentation - ISO 27001 policies and procedures
• User Guide - User documentation including security features

---

Note: This document provides a public overview of security measures. For detailed technical security documentation, see internal security documentation (available to authorized personnel only).

Compliance Overview

Classification: PUBLIC

Overview

anonymize.today is committed to maintaining the highest standards of security and compliance. This document provides an overview of our compliance certifications, data protection measures, and privacy commitments.

---

Compliance Certifications

ISO 27001:2022

Status: 86% Implemented

anonymize.today follows ISO 27001:2022 standards for Information Security Management Systems (ISMS). Our implementation includes:

• Information Security Policy: Comprehensive security policy framework
• Access Control Policy: Role-based access control and authentication
• Incident Response Plan: Procedures for security incident handling
• Risk Assessment: Regular security risk assessments
• Statement of Applicability: Control implementation status

Documentation:

• Information Security Policy
• Access Control Policy
• Incident Response Plan
• Risk Assessment
• Statement of Applicability

---

GDPR Compliance

Status: Fully Compliant

anonymize.today is designed to help organizations comply with the General Data Protection Regulation (GDPR). Our platform implements:

• Data Protection by Design: Built-in privacy protection measures
• Data Subject Rights: Access, erasure, portability, and rectification
• Data Processing Agreements: Compliant data processing
• Breach Notification: Procedures for data breach notification
• Data Export: Self-service data export (GDPR Article 20)

Key Features:

• Real-time processing (no data storage)
• User data export functionality
• Comprehensive audit logging
• Secure data processing

See GDPR Compliance for detailed information.

---

Data Protection Measures

Encryption

• Data in Transit: TLS 1.3 encryption for all connections
• Data at Rest: AES-256-GCM encryption for sensitive data
• Key Management: Secure key storage and management

Access Control

• Authentication: Multi-factor authentication (2FA) support
• Authorization: Role-based access control (Admin, Editor, User)
• Session Management: Device tracking and session revocation
• Password Security: Strong password requirements and history

Data Processing

• No Data Storage: Text is processed in real-time and not stored
• Metadata Only: Only usage statistics and token transactions are stored
• Secure Processing: All processing occurs in secure, isolated environments

---

Privacy Commitments

Your Privacy

• Data Minimization: We collect only necessary data
• Purpose Limitation: Data used only for stated purposes
• Transparency: Clear privacy policies and practices
• User Control: You control your data and can export or delete it

Our Commitments

• No Data Selling: We never sell your data
• No Unauthorized Access: Strict access controls
• Confidentiality: All data treated as confidential
• Compliance: Full compliance with applicable privacy laws

---

Audit Capabilities

Comprehensive Logging

• All Operations: All security-relevant operations logged
• Authentication Events: Login attempts, password changes, 2FA changes
• Access Events: API access, feature usage
• Payment Events: All payment transactions logged
• Admin Actions: All administrative actions logged

Log Retention

• Compliance: Logs retained per compliance requirements
• Security: Security logs retained for incident investigation
• Access: Logs accessible only to authorized personnel

---

Compliance Status Dashboard

Current Status

Ongoing Improvements

• Regular security assessments
• Continuous compliance monitoring
• Security updates and patches
• Staff training and awareness

---

Additional Resources

• GDPR Compliance - Detailed GDPR compliance information
• ISO 27001 Documentation - Complete ISO 27001 policies and procedures
• Server Infrastructure - Infrastructure provider and data center information
• Security Overview - Security highlights
• User Guide - User documentation

---

GDPR Compliance

Classification: PUBLIC

Overview

anonymize.today is designed to help organizations comply with the General Data Protection Regulation (GDPR). This document outlines our GDPR compliance measures and how the platform supports your GDPR obligations.

---

GDPR Principles Implemented

1. Lawfulness, Fairness, and Transparency

• Clear Purpose: Platform purpose clearly stated
• Transparent Processing: Users understand how their data is processed
• Legal Basis: Processing based on legitimate interests and user consent

2. Purpose Limitation

• Specific Purpose: Data collected only for platform operation
• No Secondary Use: Data not used for purposes other than stated
• Clear Scope: Processing scope clearly defined

3. Data Minimization

• Minimal Collection: Only necessary data collected
• No Text Storage: User text processed in real-time, not stored
• Metadata Only: Only usage statistics and token transactions stored

4. Accuracy

• User Control: Users can update their data
• Data Correction: Profile information can be corrected
• Verification: Email verification ensures accuracy

5. Storage Limitation

• No Text Storage: User text not stored
• Retention Policy: Metadata retained per account lifecycle
• Deletion: Data deletion upon account closure

6. Integrity and Confidentiality

• Encryption: AES-256-GCM (at rest), TLS 1.3 (in transit)
• Access Control: Role-based access control
• Security Measures: Comprehensive security implementation

7. Accountability

• Documentation: Complete security and compliance documentation
• Audit Logging: Comprehensive audit trails
• Compliance Monitoring: Regular compliance assessments

---

Data Subject Rights

Right of Access (Article 15)

How to Exercise:

1. Go to Settings → Account tab
2. Click "Download My Data"
3. Receive JSON export of all personal data

What's Included:

• Profile information
• Custom entities
• Presets
• Usage history
• Token ledger
• Subscriptions
• Payment history

Rate Limit: 1 export per hour

Right to Rectification (Article 16)

How to Exercise:

• Update profile information in Settings → Account
• Change email address in Settings → Account
• Update custom entities and presets

Right to Erasure (Article 17)

How to Exercise:

• Contact support to request account deletion
• All personal data will be deleted (subject to legal requirements)
• Deletion processed in accordance with GDPR requirements

Right to Data Portability (Article 20)

How to Exercise:

• Use "Download My Data" feature in Settings → Account
• Receive machine-readable JSON format
• Export includes all personal data

Right to Object (Article 21)

How to Exercise:

• Contact support to object to specific processing
• We'll review and respond to objections

Rights Related to Automated Decision-Making (Article 22)

Status: anonymize.today does not use automated decision-making that produces legal effects or significantly affects individuals.

---

Data Processing Agreements

Controller-Processor Relationships

• We are a Processor: When processing your text data
• You are the Controller: You determine the purposes and means of processing
• No Data Sharing: We do not share your data with third parties

Processing Activities

• Purpose: PII detection and anonymization
• Legal Basis: Legitimate interests (service provision)
• Data Categories: Text content (processed, not stored)
• Data Subjects: Your users/customers whose data you process

---

Data Retention Policies

User Account Data

• Retention: Retained while account is active
• Deletion: Deleted upon account closure (subject to legal requirements)
• Backup: Backups retained per backup retention policy

Processing Data

• Text Content: Not stored (processed in real-time)
• Metadata: Usage statistics and token transactions
• Retention: Per account lifecycle

Audit Logs

• Retention: Per compliance requirements
• Access: Authorized personnel only
• Purpose: Security and compliance

---

Breach Notification Procedures

Our Commitment

• Detection: Automated monitoring and alerting
• Response Time: Target response within 24 hours
• Notification: Transparent communication with affected users
• Remediation: Swift remediation of security issues

Breach Notification

If a data breach occurs:

1. Immediate Assessment: Assess scope and impact
2. Containment: Contain the breach immediately
3. Notification: Notify affected users within 72 hours (if required)
4. Remediation: Remediate security issues
5. Post-Incident Review: Comprehensive post-incident review

---

International Data Transfers

Data Location

• Processing: Data processed on servers in EU/EEA
• Storage: Metadata stored in EU/EEA
• Transfers: No international transfers of personal data

Adequacy Decisions

• EU Adequacy: Processing in EU/EEA ensures adequacy
• Standard Contractual Clauses: Not applicable (no transfers)

---

Privacy by Design and Default

Design Principles

• Data Minimization: Minimal data collection
• No Text Storage: Real-time processing only
• Encryption: Encryption by default
• Access Control: Least privilege access

Default Settings

• Privacy-First: Privacy-protective defaults
• User Control: Users control their data
• Transparency: Clear privacy practices

---

Data Protection Impact Assessments (DPIAs)

When Required

• New Features: DPIAs for new features processing personal data
• Significant Changes: DPIAs for significant processing changes
• High-Risk Processing: DPIAs for high-risk processing activities

Our Approach

• Proactive Assessment: Assess privacy impact before implementation
• Documentation: Document DPIA findings
• Mitigation: Implement privacy mitigations

---

Additional Resources

• Compliance Overview - Compliance summary
• ISO 27001 Documentation - Security policies
• Security Overview - Security highlights
• User Guide - User documentation

---

Two-Factor Authentication (2FA) Guide

Classification: PUBLIC

What is Two-Factor Authentication?

Two-Factor Authentication (2FA) adds an extra layer of security to your account. When enabled, you'll need to provide two things to sign in:

1. Something you know - Your password
2. Something you have - A verification code from your authenticator app or email

This means even if someone discovers your password, they still can't access your account without the second factor.

---

Setting Up 2FA

Step 1: Access Security Settings

1. Sign in to your account at anonymize.today
2. Click on Settings in the navigation menu
3. Go to the Security tab

Step 2: Choose Your 2FA Method

You can enable one or both of these methods:

Option A: Authenticator App (Recommended)

An authenticator app generates time-based codes that change every 30 seconds. This is the most secure option.

Supported Apps:

• Google Authenticator (iOS/Android)
• Microsoft Authenticator (iOS/Android)
• Authy (iOS/Android/Desktop)
• 1Password
• Any TOTP-compatible authenticator

Setup Process:

1. Click Set up Authenticator App
2. A QR code will appear on screen
3. Open your authenticator app and scan the QR code
4. Enter the 6-digit code from your app to verify
5. Important: Save your backup codes in a secure location!

Option B: Email Verification

Email verification sends a 6-digit code to your registered email address.

Setup Process:

1. Click Enable Email 2FA
2. A verification code will be sent to your email
3. Enter the code to confirm
4. Email 2FA is now active

Step 3: Save Your Backup Codes

When you first enable 2FA, you'll receive backup codes. These are one-time use codes that let you access your account if you lose access to your authenticator app or email.

⚠️ IMPORTANT:

• Each backup code can only be used once
• Store them in a secure location (password manager, safe, etc.)
• Don't share them with anyone
• You can regenerate new codes from Security Settings if needed

---

Signing In with 2FA

Using Your Authenticator App

1. Enter your email and password on the sign-in page
2. When prompted for 2FA, open your authenticator app
3. Enter the 6-digit code shown in the app
4. Click Verify & Sign In

💡 Tip: Authenticator codes change every 30 seconds. If a code doesn't work, wait for the next one.

Using Email Verification

1. Enter your email and password on the sign-in page
2. When prompted for 2FA, click Send code via email
3. Check your inbox for the verification email
4. Enter the 6-digit code from the email
5. Click Verify & Sign In

💡 Tip: Email codes are valid for 10 minutes. Check your spam folder if you don't see the email.

Using a Backup Code

If you can't access your authenticator app or email:

1. Enter your email and password on the sign-in page
2. When prompted for 2FA, enter one of your backup codes
3. Click Verify & Sign In

⚠️ Remember: Each backup code can only be used once. After using a backup code, consider regenerating new ones from Security Settings.

---

Managing Your 2FA Settings

Viewing Your Current Setup

Go to Settings → Security to see:

• Which 2FA methods are currently enabled
• Your default 2FA method for sign-in
• Number of remaining backup codes

Changing Your Default Method

If you have both authenticator and email enabled:

1. Go to Settings → Security
2. Find the Default Method section
3. Select your preferred method
4. Click Save Changes

Disabling a 2FA Method

1. Go to Settings → Security
2. Find the method you want to disable
3. Toggle it off or click Disable
4. Confirm with your password if prompted

⚠️ Warning: If you disable all 2FA methods, your account will only be protected by your password.

Regenerating Backup Codes

If you've used some backup codes or suspect they've been compromised:

1. Go to Settings → Security
2. Click Regenerate Backup Codes
3. Enter a verification code to confirm
4. Save the new codes securely
5. Old codes will no longer work

---

Troubleshooting

"Invalid verification code" Error

For Authenticator App:

• Make sure the time on your phone is correct (sync with network time)
• Wait for a new code if the current one is about to expire
• Ensure you're using the code for the correct account

For Email Codes:

• Codes expire after 10 minutes - request a new one
• Check your spam/junk folder
• Make sure you're entering the most recent code

Can't Access Authenticator App

1. Try signing in with a backup code
2. Once signed in, go to Security Settings
3. Disable the old authenticator setup
4. Set up a new authenticator app

Not Receiving Email Codes

1. Check your spam/junk folder
2. Verify your email address is correct in your profile
3. Wait a few minutes and try again
4. Contact support if the issue persists

Lost All Access Methods

If you've lost access to:

• Your authenticator app
• Your email
• All backup codes

Please contact support at [email protected] with:

• Your account email address
• Proof of identity
• Reason for the request

---

Security Best Practices

DO ✅

• Use an authenticator app as your primary method
• Keep backup codes in a secure location
• Use a unique, strong password for your account
• Keep your authenticator app updated
• Periodically check your security settings

DON'T ❌

• Share your backup codes with anyone
• Store backup codes in an easily accessible location
• Use the same password as other websites
• Ignore suspicious sign-in attempts
• Disable 2FA without a good reason

---

Frequently Asked Questions

Q: Can I use 2FA on multiple devices? A: Yes! Most authenticator apps allow you to sync across devices, or you can set up the same account on multiple apps by scanning the QR code on each device during setup.

Q: What happens if I get a new phone? A: Before switching phones, either:

• Transfer your authenticator app data to the new phone
• Use backup codes to sign in and set up 2FA again
• Disable 2FA, switch phones, then re-enable it

Q: Is email 2FA as secure as an authenticator app? A: Authenticator apps are generally more secure because:

• Codes are generated offline
• No network interception risk
• Codes change every 30 seconds

Email is still a good option and much better than no 2FA at all.

Q: How many backup codes do I get? A: You receive 10 backup codes when you first enable 2FA. Each can only be used once.

Q: Can I see which backup codes I've used? A: For security reasons, you can only see how many backup codes remain, not which specific codes have been used.

---

Need Help?

If you're having trouble with 2FA:

• Email: [email protected]
• Check our FAQ section above
• Visit our support page at anonymize.today/support