Security
How we protect your data and privacy
Security is at the core of anonymize.today. We implement industry-leading security measures to protect your data at every step.
Security Overview
Encryption at Rest
AES-256-GCM encryption for all stored data
Encryption in Transit
TLS 1.3 for all communications
Two-Factor Auth
Email-based 2FA for account protection
Compliance
ISO 27001:2022 compliant, GDPR-ready
Data Protection
How We Process Your Data
When you use anonymize.today:
| User Type | Data Storage | History |
|---|---|---|
| Guest | Processed in memory only, never stored | None |
| Authenticated (History Off) | Processed in memory only | None |
| Authenticated (History On) | Encrypted at rest (AES-256-GCM) | Stored encrypted |
Data Retention
- Operation history: Retained until you delete it or close your account
- Account data: Retained while your account is active
- Logs: Retained for 30 days for security monitoring
- Backups: Encrypted backups retained for 7 days
Data Deletion
You can delete your data at any time:
- History entries: Settings → Privacy → Delete individual entries or all history
- Account data export: Settings → Account → Download My Data
- Account deletion: Contact support to request full account deletion
Encryption
Encryption at Rest
All stored data is encrypted using AES-256-GCM:
- Operation history (when enabled)
- User encryption keys
- Custom entities and presets
- Account preferences
Encryption in Transit
All communications use TLS 1.3:
- Web application traffic (HTTPS)
- API communications
- Desktop app sync
- Office add-in requests
User Encryption Keys
For the Encrypt anonymization operator:
- You create and manage your own encryption keys
- Keys are stored encrypted in your account
- We never have access to your plaintext keys
- Lost keys cannot be recovered - store them safely
Important
If you lose your encryption key, data encrypted with it cannot be recovered. Always store your keys securely.
Authentication
Password Requirements
- Minimum 8 characters
- Must include uppercase and lowercase letters
- Must include at least one number
- Must include at least one special character
Account Lockout
After 5 failed login attempts:
- Account is temporarily locked for 15 minutes
- You'll receive an email notification
- Lockout expires automatically
Two-Factor Authentication
We recommend enabling 2FA for additional security. See our 2FA documentation for setup instructions.
Session Management
- Sessions expire after 30 days of inactivity
- You can view and revoke active sessions in Settings
- Logging out invalidates the session immediately
Infrastructure Security
Server Location
All servers are located in Germany (EU), ensuring GDPR compliance and data sovereignty.
DDoS Protection
Multiple layers of DDoS protection including rate limiting and traffic analysis.
Monitoring
24/7 security monitoring with automated threat detection and alerting.
Rate Limiting
| Endpoint | Limit | Burst |
|---|---|---|
| Authentication | 3/sec | 5 |
| API Operations | 30/sec | 50 |
| Data Export | 1/hour | 1 |
Compliance
GDPR
anonymize.today is fully GDPR compliant:
- Data processing agreements available
- Right to access, rectification, and erasure
- Data portability support (JSON export)
- Privacy by design and by default
ISO 27001:2022
Our security practices align with ISO 27001:2022 standards for information security management.
Audit Logs
Complete audit trails are maintained for:
- Account access and authentication
- Data operations (analyze, anonymize)
- Settings changes
- Billing and subscription changes
Security Best Practices
Security Reporting
If you discover a security vulnerability, please report it responsibly:
Contact
Email: security@anonymize.today
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes
We commit to:
- Acknowledging receipt within 24 hours
- Providing regular status updates
- Crediting researchers (with permission)
Related Documentation
Last Updated: February 2026