Security at Ankos.
We take the security of your compliance evidence as seriously as you do.
The foundations of how we protect your data
Encryption at rest
All data is encrypted at rest using AES-256. Your evidence files and compliance records are never stored in plaintext.
Encryption in transit
All traffic between your browser, CLI, and our APIs is encrypted with TLS 1.2+. No exceptions, no fallbacks.
Access controls
Role-based access control with Admin, Editor, and Viewer roles. Every action is logged in an immutable audit trail.
Data isolation
Multi-tenant architecture with strict organization-level data isolation. Your data is logically separated at all times.
Least privilege
The Ankos CLI uses your own AWS credentials with read-only access. We never store your AWS keys.
Integrity verification
Every evidence file uploaded to Ankos is hashed with SHA-256. Integrity is verifiable at any time.
Hosted on AWS
Ankos runs on Amazon Web Services infrastructure in US-based regions. The platform is built with defense in depth — workloads run in isolated, ephemeral environments with a minimal attack surface, managed patching, and tenant-level data isolation enforced at every layer.
Your data is yours — full stop
🔐 Ownership & privacy
- You own all data you upload or generate
- We never sell your data to third parties
- We never use your data for AI model training
- We never use your data for advertising
- We process your data solely to provide the service
📤 Export & deletion
- Export all your data at any time via the app or API
- Full evidence package export in QSA-standard format
- Data retained during your active subscription
- Complete deletion from all systems upon request
Authentication & access
🪪 Authentication
- Industry-standard identity management
- Secure password policies with complexity requirements
- Secure session management with automatic expiration
🎯 Authorization
- Role-based permissions: Admin, Editor, Viewer
- API keys for CLI and CI/CD integration
- API keys are rotatable at any time
- Organization-scoped access boundaries
Your keys, your control
Designed so your credentials never leave your machine.
The Ankos CLI uses your existing AWS credentials (via your local AWS profile or environment variables) to scan your infrastructure. These credentials are used locally on your machine and are never transmitted to or stored by Ankos.
The CLI requires only read-only AWS permissions to collect evidence. It operates with an open architecture — you can inspect exactly what data is collected before uploading to the compliance ledger.
- Uses your local AWS credentials (read-only access)
- No AWS keys are stored or transmitted to Ankos
- Open architecture — inspect collected data before upload
- JSON output mode for integration with your own tools
- Runs in your environment, behind your firewall
Compliance & certifications
Ankos is built with the encryption, access control, and audit logging standards of PCI DSS, SOC 2, and GDPR in mind from day one. We are actively working toward formal certifications and conduct regular security reviews.
Vulnerability reporting
We welcome responsible disclosure from the security community.
If you discover a security vulnerability in Ankos, we ask that you report it responsibly. Please email security@ankos.dev with a description of the vulnerability, steps to reproduce, and any relevant proof-of-concept.
We commit to responding promptly to all security reports. We will not pursue legal action against security researchers who act in good faith and follow responsible disclosure practices.
Please do not access other users' data, disrupt service availability, or publicly disclose vulnerabilities before we have had a reasonable opportunity to address them.
Third-party services we use
We evaluate all sub-processors for their security practices before engagement and maintain data processing agreements with each.
| Provider | Purpose |
|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure |
| Stripe | Payment processing |
This list is updated as sub-processors change.