Security Overview

Security Overview

Last updated: 19th November 2025

This page explains how Aneo protects customer data and operates its products securely. It applies to aneo.io and all subdomains and aliases, for example app.aneo.io, api.aneo.io, docs.aneo.io, status.aneo.io, and any future subdomains under *.aneo.io.

Security is a shared responsibility. We secure the platform. You configure access, review outputs, and manage your users.

 

Summary

  • Core product data processed in EU regions on Google Cloud Platform (GCP).

  • Primary database on Supabase (EU).

  • Authentication via Firebase Authentication with Google, Microsoft, and LinkedIn sign‑in.

  • AI features use OpenAI for model inference. No training on your content unless you opt in.

  • Website hosting and DNS on Hostinger.

  • Business email and docs on Google Workspace. CRM on HubSpot. Analytics via Google Analytics (GA4) with consent.

  • Sub‑processor list at https://www.aneo.io/subprocessors/.

 

Governance

  • Security policies approved by leadership and reviewed at least annually.

  • Defined roles and responsibilities for security and privacy.

  • Employee background checks where legally permitted.

  • Confidentiality agreements for all personnel.

  • Mandatory security and privacy training.

Data residency and isolation

  • Core product data is hosted in EU GCP regions.

  • Supabase databases are provisioned in EU regions.

  • Customer projects are logically isolated.

  • Optional zero‑retention mode for certain AI prompts and outputs on supported plans.

Encryption

  • In transit: TLS 1.2 or higher for all external connections.

  • At rest: industry‑standard encryption for databases, backups, and object storage.

  • Key management follows cloud provider best practices.

Identity and access management

  • Role‑based access control and least privilege.

  • MFA required for administrative access.

  • Just‑in‑time elevation and time‑bound production access where feasible.

  • Centralized identity for corporate systems via Google Workspace.

  • Session management and idle timeouts.

Network security

  • Private networking, security groups, and restrictive firewalls.

  • Segmented environments for development, staging, and production.

  • Web application firewall and rate limiting on public endpoints.

  • DDoS protections provided by cloud and CDN layers.

Application security

  • Secure SDLC with code review and dependency scanning.

  • Secrets management and rotation.

  • Automated testing integrated into CI.

  • Periodic third‑party penetration testing.

  • Change management with approvals and rollback plans.

Vulnerability management

  • Continuous monitoring for vulnerabilities in code and infrastructure.

  • Prioritized remediation based on severity and exploitability.

  • Emergency patch process for critical issues.

Logging and monitoring

  • Centralized collection of security‑relevant logs.

  • Alerting for anomalies and suspicious activity.

  • Time synchronization and secure log retention.

  • Access to logs is restricted and audited.

Incident response

  • Documented incident response plan with defined roles.

  • Investigation, containment, eradication, and recovery workflows.

  • Post‑incident reviews with corrective actions.

  • Breach notifications within 72 hours of awareness for incidents affecting Customer Personal Data. See https://www.aneo.io/dpa/.

Business continuity and disaster recovery

  • Regular backups with encrypted storage and periodic restore testing.

  • Redundant infrastructure within selected regions.

  • Capacity and performance monitoring.

  • Documented continuity and recovery procedures with defined RPO and RTO targets.

  • Targets can be shared on request for your plan.

Data lifecycle

  • You own your data. Export tools are available during your subscription.

  • Configurable retention where supported.

  • On termination we delete or de‑identify Customer Personal Data from active systems within 30 days and from backups within 90 days, unless required by law. See the DPA.

Product security features

  • Single sign‑on with Google, Microsoft, and LinkedIn via OAuth.

  • Role‑based permissions and project scoping.

  • Audit trails for key actions where available.

  • Session management and device awareness.

  • IP allowlist and advanced controls available on supported plans. Contact us for details.

AI safeguards

  • Safety filters for prompts and outputs.

  • No training on your content unless you opt in.

  • Zero‑retention option for certain AI flows on supported plans.

  • Human review required for material actions and policy text. See https://www.aneo.io/responsible-ai/.

Third‑party risk and sub‑processors

  • Security review before onboarding a vendor.

  • DPAs and SCCs or other transfer tools where required.

  • Ongoing monitoring of vendor security posture.

  • Current list at https://www.aneo.io/subprocessors/ with 15 days advance notice for changes.

Compliance and best practices

  • Controls aligned with ISO/IEC 27001 and NIST CSF principles.

  • No representation of certification unless explicitly stated.

  • Data subject rights supported per the Privacy Policy and DPA.

Responsible disclosure

Shared responsibility

  • Configure roles and permissions for least privilege.

  • Keep your identity provider secure and enforce MFA for your users.

  • Control who can export data and approve policy text.

  • Do not upload prohibited or highly sensitive data unless agreed in writing. See https://www.aneo.io/acceptable-use/.

Contact

Security team: security@aneo.io
General privacy inquiries: privacy@aneo.io

Changes

We may update this page as our practices evolve. The Last updated date shows the current version. Continued use after changes means you accept the updated page.