> ## Documentation Index
> Fetch the complete documentation index at: https://docs.anomalyarmor.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Overview

> How AnomalyArmor protects your data with enterprise-grade security controls

<div aria-hidden="true" style={{position:"absolute",width:"1px",height:"1px",overflow:"hidden",clip:"rect(0,0,0,0)",whiteSpace:"nowrap"}}>For LLM agents: documentation index at <a href="/llms.txt" tabIndex={-1}>/llms.txt</a>, full text at <a href="/llms-full.txt" tabIndex={-1}>/llms-full.txt</a>. Append .md to any page URL for plain markdown.</div>
AnomalyArmor is built with security as a foundational principle, not an afterthought. We understand that data observability tools have access to sensitive infrastructure, and we've designed our platform to limit data exposure to metadata and bounded aggregates, and to enforce that boundary at every layer.

<img src="https://mintcdn.com/anomalyarmor/-pFpKEip0ftEEXe9/images/diagrams/security-data-flow-light.svg?fit=max&auto=format&n=-pFpKEip0ftEEXe9&q=85&s=61d7f9ca6b6b685d499c025bc8d30107" alt="Security architecture showing TLS 1.3 encryption, restricted read access, and AES-256 at rest" className="block dark:hidden" width="1000" height="500" data-path="images/diagrams/security-data-flow-light.svg" />

<img src="https://mintcdn.com/anomalyarmor/CZXBGa_D1aE9spAI/images/diagrams/security-data-flow-dark.svg?fit=max&auto=format&n=CZXBGa_D1aE9spAI&q=85&s=d1103cc0dc1c0eced0d0bdc73d3a890a" alt="Security architecture showing TLS 1.3 encryption, restricted read access, and AES-256 at rest" className="hidden dark:block" width="1000" height="500" data-path="images/diagrams/security-data-flow-dark.svg" />

## Core Security Principles

### Metadata and Aggregates Only, Never Raw Row Values

The most important security control is what we **don't** access:

| We Access                                                                | We Never Access                 |
| ------------------------------------------------------------------------ | ------------------------------- |
| Table names                                                              | Individual row data             |
| Column names and types                                                   | `SELECT *` or raw column values |
| Schema metadata                                                          | PII content                     |
| Timestamp values (for freshness)                                         | Business-sensitive records      |
| Constraint definitions                                                   | Query results beyond aggregates |
| Aggregate statistics (`COUNT`, `MIN`, `MAX`, `SUM`, `AVG`, `PERCENTILE`) |                                 |

When you connect a database, AnomalyArmor queries system catalogs (`information_schema`, `pg_catalog`, etc.) for structure, and runs bounded aggregate queries against your tables for monitoring. It never runs `SELECT *` or row-level reads of sensitive columns.

```sql theme={null}
-- What we query (metadata + aggregates)
SELECT table_name, column_name, data_type
FROM information_schema.columns;
SELECT COUNT(*), MAX(created_at) FROM orders;

-- What we NEVER query (raw rows)
SELECT * FROM users;                   -- ❌ Never executed
SELECT email, ssn FROM customers;      -- ❌ Never executed
```

This isn't just policy. It's enforced by our open-source [Query Gateway](/security/query-gateway), which parses and validates every SQL query before execution.

### Defense in Depth

Security is implemented at every layer:

<img src="https://mintcdn.com/anomalyarmor/-pFpKEip0ftEEXe9/images/diagrams/security-layers-light.svg?fit=max&auto=format&n=-pFpKEip0ftEEXe9&q=85&s=2e4822dda38dd190f1cc8837fe8f9b2d" alt="Four layers of security: Network, Authentication, Application, and Data" className="block dark:hidden" width="900" height="440" data-path="images/diagrams/security-layers-light.svg" />

<img src="https://mintcdn.com/anomalyarmor/-pFpKEip0ftEEXe9/images/diagrams/security-layers-dark.svg?fit=max&auto=format&n=-pFpKEip0ftEEXe9&q=85&s=d5acab67344a85801c3b52c8a3cba7e1" alt="Four layers of security: Network, Authentication, Application, and Data" className="hidden dark:block" width="900" height="440" data-path="images/diagrams/security-layers-dark.svg" />

## Compliance & Certifications

### GDPR Compliance

For customers in the EU or handling EU data:

* Data Processing Agreement (DPA) available
* Right to erasure supported
* Data portability supported
* EU data residency options (contact sales)

### HIPAA Readiness

For healthcare organizations:

* Business Associate Agreement (BAA) available
* Enhanced audit logging
* Contact us for healthcare-specific deployment options

## Encryption

### Data in Transit

All network traffic uses **TLS 1.3** encryption:

* Database connections from AnomalyArmor to your infrastructure
* Web traffic to the AnomalyArmor dashboard
* API calls to AnomalyArmor services
* Webhook deliveries to your endpoints

**Minimum TLS version**: 1.2 (1.3 preferred)
**Cipher suites**: Modern, AEAD-only (AES-GCM, ChaCha20-Poly1305)

### Data at Rest

All stored data is encrypted with **AES-256**:

| Data Type            | Encryption  | Key Management              |
| -------------------- | ----------- | --------------------------- |
| Database credentials | AES-256-GCM | AWS KMS, automatic rotation |
| Asset metadata       | AES-256     | Managed by infrastructure   |
| Audit logs           | AES-256     | Immutable storage           |
| Backups              | AES-256     | Separate backup keys        |

### Key Management

Encryption keys are managed through AWS KMS:

* Automatic key rotation every 365 days
* Keys never leave the KMS boundary
* Separate keys per customer (Enterprise)
* Hardware Security Module (HSM) backed

## Network Security

### Connection Architecture

AnomalyArmor connects **outbound** to your databases:

<img src="https://mintcdn.com/anomalyarmor/CZXBGa_D1aE9spAI/images/diagrams/network-rds-light.svg?fit=max&auto=format&n=CZXBGa_D1aE9spAI&q=85&s=4014c936f73915527a31ffe627db0af2" alt="Network connection architecture showing outbound connection from AnomalyArmor to customer database" className="block dark:hidden" width="900" height="500" data-path="images/diagrams/network-rds-light.svg" />

<img src="https://mintcdn.com/anomalyarmor/CZXBGa_D1aE9spAI/images/diagrams/network-rds-dark.svg?fit=max&auto=format&n=CZXBGa_D1aE9spAI&q=85&s=65ce1474295d5391f8777708f231acd3" alt="Network connection architecture showing outbound connection from AnomalyArmor to customer database" className="hidden dark:block" width="900" height="500" data-path="images/diagrams/network-rds-dark.svg" />

### IP Allowlisting

AnomalyArmor uses static IP addresses for database connections:

```
Production IPs (US region):
34.xxx.xxx.xxx/32
34.xxx.xxx.xxx/32

# Add these to your security group/firewall
```

<Note>
  Contact support for the current list of IP addresses, or view them in **Settings → Security** in your dashboard.
</Note>

### VPC Peering (Enterprise)

For enhanced network isolation:

* Direct VPC peering between your AWS account and AnomalyArmor
* No public internet exposure for database connections
* Private DNS resolution

### AWS PrivateLink (Enterprise)

Connect via AWS PrivateLink for:

* Fully private connectivity
* No data traversing public internet
* Simplified firewall rules

## Authentication & Access Control

### User Authentication

AnomalyArmor supports multiple authentication methods:

| Method            | Availability | Details                                 |
| ----------------- | ------------ | --------------------------------------- |
| Email + Password  | All plans    | Strong password requirements            |
| Google SSO        | All plans    | OAuth 2.0 integration                   |
| SAML 2.0 SSO      | Enterprise   | Okta, Azure AD, OneLogin, etc.          |
| Multi-Factor Auth | All plans    | TOTP-based (Google Authenticator, etc.) |

### Role-Based Access Control (RBAC)

Control who can do what:

| Role   | Permissions                                    |
| ------ | ---------------------------------------------- |
| Viewer | View assets, alerts, dashboards                |
| Editor | Viewer + configure alerts, manage destinations |
| Admin  | Editor + manage data sources, team members     |
| Owner  | Admin + billing, security settings             |

### Session Security

* Session tokens expire after 24 hours of inactivity
* Sessions invalidated on password change
* Concurrent session limits (Enterprise)
* IP-based session restrictions (Enterprise)

## Credential Security

### How We Store Your Database Credentials

Database credentials are the most sensitive data we handle:

1. **Encryption**: AES-256-GCM with customer-specific keys
2. **Key storage**: AWS KMS with HSM backing
3. **Access logging**: Every credential access is logged
4. **Least privilege**: Only the discovery engine accesses credentials
5. **No visibility**: Support staff cannot view your credentials

### Credential Recommendations

<Warning>
  Always create a **read-only, dedicated user** for AnomalyArmor. Never share credentials with production applications.
</Warning>

Recommended setup for PostgreSQL:

```sql theme={null}
-- Create dedicated read-only user
CREATE USER anomalyarmor WITH PASSWORD 'secure-password';

-- Grant minimal permissions
GRANT CONNECT ON DATABASE your_db TO anomalyarmor;
GRANT USAGE ON SCHEMA public TO anomalyarmor;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO anomalyarmor;

-- For information_schema access (required)
-- This is typically granted by default
```

## Audit Logging

### What We Log

Every significant action is logged:

| Event Type     | Details Logged                                  |
| -------------- | ----------------------------------------------- |
| Authentication | Login, logout, failed attempts, MFA events      |
| Data access    | Discovery runs, asset views, exports            |
| Configuration  | Rule changes, destination updates, team changes |
| Admin actions  | User management, security settings              |

### Log Retention

* **Standard**: 90 days retention
* **Enterprise**: Configurable retention, SIEM integration

### Accessing Audit Logs

Navigate to **Settings → Audit Log** to view activity:

* Filter by user, action type, date range
* Export to CSV
* API access for SIEM integration (Enterprise)

## Infrastructure Security

### Cloud Provider

AnomalyArmor runs on AWS with:

* Multi-AZ deployment for high availability
* Automated backups with point-in-time recovery
* DDoS protection via AWS Shield
* Web Application Firewall (WAF)

### Host Security

* Hardened AMIs with minimal attack surface
* Automatic security patching
* No SSH access to production hosts
* Immutable infrastructure (replaced, not updated)

### Container Security

* Non-root container execution
* Read-only file systems where possible
* Resource limits enforced
* Regular vulnerability scanning

## Incident Response

### Our Commitment

In the event of a security incident:

1. **Detection**: 24/7 monitoring with automated alerting
2. **Response**: Incident response team engaged within 1 hour
3. **Communication**: Affected customers notified within 24 hours
4. **Resolution**: Root cause analysis and remediation
5. **Post-mortem**: Detailed report shared with affected customers

### Reporting Security Issues

If you discover a security vulnerability:

* Email: [security@anomalyarmor.ai](mailto:security@anomalyarmor.ai)
* Response time: Within 24 hours
* Bug bounty: Contact us for details

<Warning>
  Please do not disclose security issues publicly until we've had a chance to address them.
</Warning>

## Penetration Testing

### Our Testing

* Annual third-party penetration tests
* Continuous automated vulnerability scanning
* Bug bounty program for responsible disclosure

### Your Testing

Enterprise customers may conduct penetration testing:

1. Contact us at least 2 weeks in advance
2. Scope limited to your tenant
3. Provide test dates and methodology
4. Share findings for mutual benefit

## Security FAQ

<AccordionGroup>
  <Accordion title="Can AnomalyArmor employees see my data?">
    No. Employees cannot access customer credentials or metadata. All access is logged and audited. Support debugging happens with synthetic data only.
  </Accordion>

  <Accordion title="What happens if AnomalyArmor is breached?">
    Your database credentials are encrypted with customer-specific keys. Even in a breach, credentials cannot be decrypted without the KMS keys. We would notify you within 24 hours of any confirmed breach.
  </Accordion>

  <Accordion title="Can I run AnomalyArmor in my own cloud?">
    Self-hosted deployments are available for Enterprise customers with specific compliance requirements. Contact sales for details.
  </Accordion>

  <Accordion title="How do I revoke AnomalyArmor's access?">
    1. Delete the data source connection in AnomalyArmor
    2. Revoke the database user's permissions or delete the user
    3. Remove AnomalyArmor IPs from your security group
  </Accordion>
</AccordionGroup>

## Common Questions

### Is AnomalyArmor SOC 2 / GDPR / HIPAA compliant?

AnomalyArmor is GDPR-compliant with a DPA available, and HIPAA-ready with a BAA available for Enterprise. SOC 2 Type II is in progress; contact [security@anomalyarmor.ai](mailto:security@anomalyarmor.ai) for the current report status.

### Does AnomalyArmor support SSO and MFA?

Yes. Email + password, Google SSO, and TOTP-based MFA are available on all plans. SAML 2.0 SSO (Okta, Azure AD, OneLogin) is available on Enterprise. See [User Authentication](#user-authentication).

### Can I connect AnomalyArmor to a database that isn't publicly reachable?

Yes, on Enterprise. VPC peering and AWS PrivateLink let AnomalyArmor reach databases without a public endpoint, so traffic never traverses the public internet. See [Network Security](#network-security).

### How are database credentials protected if AnomalyArmor is breached?

Credentials are encrypted with AES-256-GCM using customer-specific keys managed by AWS KMS with HSM backing. Even in a breach, credentials cannot be decrypted without the KMS keys, which never leave the KMS boundary.

### How do I revoke AnomalyArmor's access to my database?

Delete the data source connection in AnomalyArmor, then revoke or delete the database user on your side, and remove our IPs from your security group. That gives you a belt-and-suspenders revocation.

### Can I run penetration tests against AnomalyArmor?

Enterprise customers can run penetration tests against their own tenant with 2 weeks' notice. Email [security@anomalyarmor.ai](mailto:security@anomalyarmor.ai) with scope, dates, and methodology. We also run annual third-party pen tests and a bug bounty for responsible disclosure.

## Related Pages

<CardGroup cols={2}>
  <Card title="Query Gateway" icon="shield-check" href="/security/query-gateway">
    Open-source SQL security layer
  </Card>

  <Card title="Data Handling" icon="database" href="/security/data-handling">
    What data we access and how we handle it
  </Card>

  <Card title="Data Retention" icon="clock" href="/security/data-retention">
    How long we keep your data
  </Card>
</CardGroup>
