Security at Anvil

• Code review required on every change; no self-merges to production branches.
• SAST, DAST, dependency, secret, and container scanning in CI; findings are triaged and SLA-tracked.
• Threat modelling for new systems that touch auth, payments, or PII.
• Annual third-party penetration test (full-scope). Summary available under NDA.
• Bug bounty / responsible disclosure — see below.
• Security-champion programme: at least one trained champion per squad.

• Centralised, tamper-evident log storage with at least 1 year retention for security events.
• Real-time alerting on authentication anomalies, permission escalations, data-export volume spikes, and WAF signals.
• Sentry for application errors; OpenTelemetry traces and metrics for performance.
• Database audit logs for administrative and cross-tenant read/write.
• Weekly review of high-risk audit events by the security team.

• Backups: encrypted daily full + hourly incrementals for PostgreSQL; object storage is versioned and cross-region-replicated.
• Retention: 35 days rolling. Legal-hold and longer retention available on Enterprise plans.
• Restore tests: we perform a full database restore to a clean environment at least quarterly and verify data integrity.
• Targets: RPO ≤ 1 hour, RTO ≤ 4 hours for the primary database. Actual measured figures are available to customers under NDA.
• Multi-zone: stateless services run active-active across zones. Stateful services fail over automatically with health-check gating.

• Background checks where permitted by law.
• Signed confidentiality and acceptable-use policy on hire.
• Annual security-awareness and phishing-simulation training.
• Managed device posture (disk encryption, screen lock, EDR) required for any device that accesses production.
• Vendor review before engaging any processor with access to customer data. See the sub-processor list.
• Joiner / mover / leaver process for access provisioning and revocation.

Customers on Enterprise plans can request our SIG-Lite, CAIQ, or vendor questionnaire under NDA.

• Deletion requests from end-users are honoured within 30 days (or faster where required by law).
• On account termination, data is retained for a 30-day export window, then deleted or anonymised within a further 60 days, per the DPA.
• Backups that contain deleted data are purged on the standard rotation (≤ 35 days). We do not hand-edit backups.
• A certificate of deletion is available on request.

We welcome reports from security researchers. Please email security@anvilhk.com (forwarded to 738888@proton.me) with:

• A clear description of the issue and affected asset.
• Proof-of-concept steps, minimised to avoid touching real customer data.
• Your name or handle if you would like credit.

We commit to:

• Acknowledge within 2 business days.
• Provide an initial assessment within 5 business days.
• Not pursue legal action against researchers who act in good faith within the scope of our security.txt policy.
• Credit researchers (with consent) on a hall-of-fame page.

A paid bug-bounty programme is being scoped for 2026. Until it launches, we pay at our discretion for high-impact issues.

• Live status at status.anvilhk.com.
• Scheduled maintenance is announced at least 72 hours in advance on the status page.
• We publish a transparency report annually summarising data-request volumes from law enforcement and government bodies.

• Security reports: security@anvilhk.com
• Privacy & data protection: privacy@anvilhk.com
• Abuse: abuse@anvilhk.com
• Customer support: support@anvilhk.com

All alias addresses currently forward to 738888@proton.me while we complete the corporate mail migration.