Security & Compliance FAQ
Everything your IT, legal, and compliance teams need to know: data residency, GDPR, EU AI Act, encryption, access controls, and how Anthropos protects your people's data.
Where is our data stored?
All customer data is processed and stored in the EU — specifically AWS EU-West-1 (Ireland) with multi-availability-zone deployment. AI inference routes through EU endpoints first: Azure OpenAI EU and AWS Bedrock EU. US-based fallback endpoints are used only when EU endpoints are temporarily unavailable. No customer data is permanently stored outside the EU.
Does Anthropos use employee or candidate data to train AI models?
No. Anthropos explicitly does not use candidate or employee data — including simulation transcripts, assessment outputs, or CV data — to train AI models. This policy applies universally across all customer data.
How is data deleted after our contract ends?
All customer data is automatically deleted 90 days after contract termination. Individual users can request deletion at any time under GDPR and CCPA right-to-erasure provisions. During the 90-day window, data remains accessible for audit and knowledge transfer. A full Data Processing Agreement (DPA v1.4) details all retention and deletion policies.
How is data encrypted in transit and at rest?
In transit: TLS 1.3 with ECDHE key exchange (AES-128+ cipher suite, SHA-256+ integrity). HTTPS enforced on all public endpoints. All service-to-service communication also encrypted via TLS.
At rest: AES-256 encryption managed through AWS KMS with automated key rotation. Covers database (PostgreSQL RDS), file storage (S3), and compute volumes (EBS). No individual Anthropos team member holds encryption keys.
Who at Anthropos can access our data?
Anthropos staff has access to customer data for troubleshooting purposes only. Infrastructure access requires MFA and a secure VPN (Tailscale). There is no direct SSH access to production servers. All access is logged via AWS CloudTrail. Privileges are reviewed periodically and revoked immediately upon role changes.
How does multi-tenant data isolation work?
Three independent isolation layers:
- Database: Every table has a mandatory organization_id. ORM automatically filters all queries by organizational context.
- Application: Every API request validated against the user’s organizational membership via Casbin RBAC/ABAC. Real-time authorization checks on every operation.
- Identity: JWT tokens include organizational context. Sessions are organization-scoped via Clerk. Short-lived tokens with automatic revocation.
All three layers must be bypassed simultaneously to expose cross-tenant data — not architecturally possible in normal operation.
Is Anthropos GDPR compliant?
Yes. Key compliance posture:
- All data processed and stored in EU (AWS EU-West-1)
- Data Processing Agreement (DPA v1.4) with 18 approved sub-processors
- Candidate and employee data never used for AI model training
- Right to erasure supported
- 90-day automatic data deletion post-contract termination
- Sub-processor list published at anthropos.work/privacy-policy
How is Anthropos classified under the EU AI Act?
Anthropos AI Simulations are classified as Limited Risk under the EU AI Act — not High Risk. The rationale: AI generates scenarios and conducts conversations, but does not make hiring or employment decisions. All evaluation and scoring is deterministic and rubric-based — defined by your team, fully transparent. Anthropos has a formal risk classification analysis available on request.
Is Anthropos SOC 2 certified?
Yes. Anthropos is SOC 2 compliant. SOC 2 Type II reports are available to enterprise customers under NDA upon request.
Who are Anthropos’s AI sub-processors?
Key sub-processors by category:
- AI inference: OpenAI (via Azure EU), Anthropic (via AWS Bedrock EU), ElevenLabs (voice synthesis)
- Infrastructure: AWS, Vercel, Clerk
- Voice: LiveKit, AWS Chime SDK
- Analytics: PostHog, Sentry
Full list at anthropos.work/privacy-policy. Enterprise customers are notified in advance of material sub-processor changes as required by GDPR Article 28.