Security

Anabel handles your most sensitive business data: emails, conversations, decisions, and pipeline intelligence. We take that responsibility seriously. This page documents how we protect your data and our compliance roadmap.

Data Isolation

Every Anabel client runs on a dedicated, isolated cloud instance. Your data is architecturally separated from all other clients. No shared databases, no shared application processes. Your AI instance can only access your data.

Encryption

• In transit: All data is encrypted using TLS 1.2+ between your devices, our infrastructure, and third-party integrations.
• At rest: Data stored on disk is encrypted using AES-256.
• Credentials: All API keys, OAuth tokens, and secrets are stored encrypted using AGE encryption, never in plaintext.

Access Controls

• Multi-factor authentication is available and recommended for all accounts.
• Access to production systems is restricted to authorised personnel only.
• All administrative access is logged and monitored.
• Webhook endpoints are protected with HMAC signature verification. Unauthenticated requests are rejected.
• OAuth tokens use atomic write patterns to prevent race conditions and credential corruption.

Security Monitoring

• Automated health checks run continuously across all services, with alerting on failure.
• Integrity monitoring detects unauthorised changes to critical files.
• Canary tokens detect unauthorised data exfiltration attempts.
• Secret rotation is performed on a 90-day scheduled cadence.
• AI prompt injection defences are active on all input boundaries.

Audit Logging

All decisions, actions, and AI outputs are logged with full audit trails. Logs are retained and available for review. We use Langfuse for AI observability. Every model call, tool use, and output is recorded.

Data Residency

Your Anabel instance runs on dedicated infrastructure. Data is processed and stored on your assigned server. AI model calls are processed by Anthropic (Claude) under their enterprise terms, which prohibit using customer data for model training.

Incident Response

We maintain an incident response procedure covering detection, containment, notification, and post-incident review. In the event of a confirmed data breach, affected clients will be notified within 72 hours in accordance with GDPR Article 33 obligations.

Third-Party Security

We maintain a vendor register of all third-party services used in delivering the platform. Sub-processors are assessed for security posture before onboarding. Our infrastructure provider operates with SOC 2-aligned controls.

Certifications and Compliance

• CSA STAR Level 1 (Cloud Security Alliance): listed on the STAR Registry. Self-assessment covering 17 control domains (CAIQ v4.1).

Compliance Roadmap

• Cyber Essentials (UK NCSC): in progress. Covers firewalls, secure configuration, access control, malware protection, and patch management.
• SOC 2 Type I : target Q3 2026. An independent audit of our security and confidentiality controls.
• SOC 2 Type II : target Q4 2026. Ongoing evidence of controls operating effectively over time.

Data Processing Agreement

Enterprise clients who require a Data Processing Agreement (DPA) covering GDPR and UAE PDPL obligations can request one by contacting us. The DPA covers our obligations as Data Processor, your rights as Data Controller, sub-processor disclosures, and breach notification procedures.

Responsible Disclosure

If you discover a security vulnerability in Anabel, please report it to security@getanabel.ai. We will acknowledge your report within 48 hours and work to resolve confirmed issues promptly. We do not pursue legal action against researchers acting in good faith.

Contact

For security enquiries, data processing questions, or to request a DPA:

security@getanabel.ai