Built to protect sensitive information.
Agencies trust Anchor Core AI with financial details, health questions, and personal client data. That trust is the product. Here's exactly how that information is kept safe — in plain language, with no overstated claims.
Security built in at every layer.
Not a checkbox bolted on at the end — encryption, isolation, and access control are part of how the platform is built.
Encrypted end to end
Every connection is protected with TLS/HTTPS in transit, and all data is encrypted at rest (AES-256) on the database. Nothing sensitive is ever stored or sent in the clear.
Strict agency isolation
Each agency's data is partitioned and protected by row-level security in the database. One agency can never see another's clients, cases, or financials — it's enforced at the data layer, not just the screen.
Access control at the server
Owner, admin, sub-admin, agent, and assistant each see only what their role allows — and it's enforced on the server, not just hidden in the UI. The financial and configuration back office is blocked at the edge for restricted roles.
Least privilege by design
Read-only investigation seats, an assistant role with no access to financials or configuration, and credentials that are scoped to exactly what each person needs — nothing more.
Always-on monitoring
A nightly self-healing audit and an on-demand deep-dive sweep every portal for integrity and connection issues, log them, and email the owner — so problems surface fast and don't sit silently.
Backed up & recoverable
Automated backups run on managed, enterprise-grade infrastructure, so data can be restored after an incident or mistake.
The most sensitive data gets the most protection.
Financial figures, health questions, and personal client information are encrypted, isolated per agency, and restricted by role on the server. Sensitive collection is minimized, oversight roles are read-only, and the assistant role can't reach financials or configuration at all. Where a formal compliance step like a HIPAA Business Associate Agreement is required, it's handled openly during enterprise onboarding — we tell you exactly what's covered.
Straight answers on security.
Is my data encrypted?
Yes — in transit (TLS/HTTPS on every request) and at rest (AES-256 on the database). Passwords are salted and hashed, never stored in plain text.
Who can actually see my data?
Only your agency. Data is isolated per agency with database-level row security, and within your agency each role sees only what it's entitled to. Owner/executive oversight is read-only when investigating, and the assistant role is blocked from financials and configuration entirely — enforced on the server.
Do you sell or share my data?
No. Your data is yours. We do not sell, rent, or share it, and your client and agency data is never used for advertising. This is also written into your client agreement.
Does the AI train on my data?
No. The AI assistant runs on Anthropic's API, which does not train its models on the data sent through it. Your questions, client details, and documents are not used to train any model.
Where is my data stored, and is it backed up?
Data is stored in a US region on managed, SOC 2-compliant cloud infrastructure (Supabase/AWS for data, Vercel for the application), with automated backups for recovery.
What about medical and other sensitive health information?
Insurance work can touch health questions, so we minimize what's collected and protect everything with the same encryption and access controls. For agencies that require a formal HIPAA Business Associate Agreement, that's handled as part of enterprise onboarding — we'll tell you plainly what is and isn't covered rather than overstate it.
Is the platform HIPAA or SOC 2 certified?
Anchor Core AI is built ON SOC 2-compliant infrastructure and follows the core safeguards those frameworks require — encryption, least-privilege access, isolation, monitoring, and audit logging. Formal HIPAA BAAs and independent certification are pursued as part of enterprise engagements; we will never claim a certification we don't hold.
What happens if there's a security incident?
Issues are logged and surfaced immediately through the monitoring system. If an incident affected your data, you'd be notified directly and promptly, with a clear account of what happened and what was done.
Can I export or delete my data?
Yes. Your data belongs to you — it can be exported, and on offboarding it is removed per your agreement. You're never locked in.
Who has access on your side?
Access is founder-led and tightly held, on a least-privilege basis. Administrative database keys are server-side only and never exposed to browsers or third parties.
Questions about security or compliance?
Ask directly — you'll get a straight answer from the founder, not a sales script.