Security & compliance

Your data is safe, private, and compliant.

Security isn’t something we added on top, it’s built into how ANANKE works. Your documents stay under your control, personal data is never published, and every action has a verifiable audit trail. Designed for GDPR, aligned with eIDAS and DGSSI standards.

Talk to our security team

How we protect your organization

Six security commitments that apply to every organization using ANANKE.

Your documents never leave your control

We don’t store your actual documents, student records, or personal information on our servers. Only mathematical fingerprints are used for verification. Your sensitive data stays where you put it.

No personal data is ever published

When we anchor verification proofs, only anonymized mathematical roots are sent to external trust anchors. No names, no grades, no personal information, ever.

Each organization is completely isolated

Your data, proofs, verification logs, and settings are fully separated from every other organization on the platform. There is no way for one institution to access another’s information.

You control what verifiers see

When someone verifies a record you issued, they only see the information you chose to share. Different verifier types can see different fields. You set the rules.

Everything is encrypted

All data is encrypted when stored and when transmitted. Industry-standard encryption (AES-256 at rest, TLS 1.3 in transit) protects your information at every step.

Complete audit trail

Every issuance, verification, revocation, and access event is recorded with timestamps. If you need to show what happened and when, the evidence is already there.

What we store, and what we don’t

Transparency about data handling starts with being clear about what touches our systems.

What we store

Mathematical fingerprints (hashes) of your documents

Verification proof records (receipts) and timestamps

Document templates for issuance workflows

Encrypted data when operationally required (with strong encryption)

Lifecycle status (valid, revoked, replaced)

Audit trail entries

Your organization’s settings and configurations

What we never store

Your actual documents or PDFs (unless explicitly uploaded for template creation)

Student records or grades in cleartext

Personal information (names, addresses, IDs) unless encrypted for issuance

Passwords or API keys in readable form

Financial information or payment details

Compliance and regulatory alignment

We design for compliance from day one, not as an afterthought. Below are the frameworks ANANKE is being built to align with. Important: These are work-in-progress design goals, not completed certifications or formal agreements.

GDPR

General Data Protection Regulation (EU)

Data minimization, we only process what’s necessary

Purpose limitation, data is used only for verification

Right to erasure compatibility

Privacy by design and by default

No personal data transferred to third parties without consent

Data processing agreements available for enterprise clients

eIDAS

Electronic Identification & Trust Services (EU)

Trust and TCODE operate as non-qualified trust services

Architecture designed for future qualified status via ANANKE Sign

Cross-border interoperability standards followed

Clear disclosure: non-qualified services are clearly labeled

ANANKE Sign is being designed for qualified trust service certification

Standards-compatible proof formats for European recognition

DGSSI

Direction Générale de la Sécurité des Systèmes d’Information (Morocco)

Architecture aligned with Moroccan digital trust requirements

Clear separation between non-qualified and qualified services

ANANKE Sign planned for DGSSI certification

Trust services mapped to DGSSI trust level classifications

Security practices aligned with national cybersecurity directives

Moroccan data residency considerations addressed

ISO 27001

Information Security Management (International)

Security controls aligned with ISO 27001 requirements

Risk assessment and treatment processes in place

Access control policies enforced at every level

Incident response procedures documented and tested

Continuous monitoring and improvement cycle

Working toward formal certification

Access control and authentication

Controlling who can access what, and proving it.

Role-based permissions

Each team member has specific permissions based on their role. Administrators, issuers, verifiers, and auditors each see and do only what they need to.

Secure authentication

Industry-standard login with support for single sign-on (SSO). Multi-factor authentication available for enhanced security.

API key protection

If you integrate via API, keys are secured using one-way hashing. The raw key is shown once at creation and never stored, only a secure hash is retained.

Session management

Automatic session expiration, secure token handling, and protection against common web security threats (CSRF, XSS, injection attacks).

Governance, you stay in control

ANANKE provides the tools. Your organization sets the policies.

You define the rules

Your organization controls proof policies, verification settings, team permissions, and what information is disclosed to verifiers.

Every action is recorded

Issuance, verification, revocation, access changes, everything is logged with who did it, when, and from where.

Tamper-evident history

Audit logs are protected so that any attempt to modify historical records is detectable. Your evidence trail is trustworthy.

Long-term retention

Audit records are retained for regulatory periods. When auditors or regulators request evidence, it’s already there and proven.

Non-qualified vs. qualified trust services

ANANKE Trust and TCODE are non-qualified trust services— they provide verifiable evidence and tamper-detection, not legally qualified electronic signatures. For workflows requiring legally binding signatures (contractual, regulatory), ANANKE Sign is a separate product line that will operate under DGSSI/eIDAS regulatory certification. Learn more about ANANKE Sign.

Questions about security or compliance?

We’re happy to discuss our security practices, data handling, and compliance alignment with your IT, legal, or compliance team.

Talk to our team