Skip to main content
AnomalyArmor is built with security as a foundational principle, not an afterthought. We understand that data observability tools have access to sensitive infrastructure, and we’ve designed our platform to minimize risk while maximizing value. Security architecture showing TLS 1.3 encryption, metadata-only access, and AES-256 at rest

Core Security Principles

Metadata Only, Never Your Data

The most important security control is what we don’t access:
We AccessWe Never Access
Table namesRow data
Column names and typesActual values
Schema metadataPII content
Timestamp values (for freshness)Business-sensitive data
Constraint definitionsQuery results
When you connect a database, AnomalyArmor queries only system catalogs (information_schema, pg_catalog, etc.), never your actual tables. 
-- What we query (metadata)
SELECT table_name, column_name, data_type
FROM information_schema.columns;

-- What we NEVER query (your data)
SELECT * FROM users;  -- ❌ Never executed
This isn’t just policy. It’s enforced by our open-source Query Gateway, which validates every SQL query before execution.

Defense in Depth

Security is implemented at every layer: Four layers of security: Network, Authentication, Application, and Data

Compliance & Certifications

GDPR Compliance

For customers in the EU or handling EU data:
  • Data Processing Agreement (DPA) available
  • Right to erasure supported
  • Data portability supported
  • EU data residency options (contact sales)

HIPAA Readiness

For healthcare organizations:
  • Business Associate Agreement (BAA) available
  • Enhanced audit logging
  • Contact us for healthcare-specific deployment options

Encryption

Data in Transit

All network traffic uses TLS 1.3 encryption:
  • Database connections from AnomalyArmor to your infrastructure
  • Web traffic to the AnomalyArmor dashboard
  • API calls to AnomalyArmor services
  • Webhook deliveries to your endpoints
Minimum TLS version: 1.2 (1.3 preferred) Cipher suites: Modern, AEAD-only (AES-GCM, ChaCha20-Poly1305)

Data at Rest

All stored data is encrypted with AES-256:
Data TypeEncryptionKey Management
Database credentialsAES-256-GCMAWS KMS, automatic rotation
Asset metadataAES-256Managed by infrastructure
Audit logsAES-256Immutable storage
BackupsAES-256Separate backup keys

Key Management

Encryption keys are managed through AWS KMS:
  • Automatic key rotation every 365 days
  • Keys never leave the KMS boundary
  • Separate keys per customer (Enterprise)
  • Hardware Security Module (HSM) backed

Network Security

Connection Architecture

AnomalyArmor connects outbound to your databases: Network connection architecture showing outbound connection from AnomalyArmor to customer database

IP Allowlisting

AnomalyArmor uses static IP addresses for database connections: 
Production IPs (US region):
34.xxx.xxx.xxx/32
34.xxx.xxx.xxx/32

# Add these to your security group/firewall
Contact support for the current list of IP addresses, or view them in Settings → Security in your dashboard.

VPC Peering (Enterprise)

For enhanced network isolation:
  • Direct VPC peering between your AWS account and AnomalyArmor
  • No public internet exposure for database connections
  • Private DNS resolution
Connect via AWS PrivateLink for:
  • Fully private connectivity
  • No data traversing public internet
  • Simplified firewall rules

Authentication & Access Control

User Authentication

AnomalyArmor supports multiple authentication methods:
MethodAvailabilityDetails
Email + PasswordAll plansStrong password requirements
Google SSOAll plansOAuth 2.0 integration
SAML 2.0 SSOEnterpriseOkta, Azure AD, OneLogin, etc.
Multi-Factor AuthAll plansTOTP-based (Google Authenticator, etc.)

Role-Based Access Control (RBAC)

Control who can do what:
RolePermissions
ViewerView assets, alerts, dashboards
EditorViewer + configure alerts, manage destinations
AdminEditor + manage data sources, team members
OwnerAdmin + billing, security settings

Session Security

  • Session tokens expire after 24 hours of inactivity
  • Sessions invalidated on password change
  • Concurrent session limits (Enterprise)
  • IP-based session restrictions (Enterprise)

Credential Security

How We Store Your Database Credentials

Database credentials are the most sensitive data we handle:
  1. Encryption: AES-256-GCM with customer-specific keys
  2. Key storage: AWS KMS with HSM backing
  3. Access logging: Every credential access is logged
  4. Least privilege: Only the discovery engine accesses credentials
  5. No visibility: Support staff cannot view your credentials

Credential Recommendations

Always create a read-only, dedicated user for AnomalyArmor. Never share credentials with production applications.
Recommended setup for PostgreSQL: 
-- Create dedicated read-only user
CREATE USER anomalyarmor WITH PASSWORD 'secure-password';

-- Grant minimal permissions
GRANT CONNECT ON DATABASE your_db TO anomalyarmor;
GRANT USAGE ON SCHEMA public TO anomalyarmor;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO anomalyarmor;

-- For information_schema access (required)
-- This is typically granted by default

Audit Logging

What We Log

Every significant action is logged:
Event TypeDetails Logged
AuthenticationLogin, logout, failed attempts, MFA events
Data accessDiscovery runs, asset views, exports
ConfigurationRule changes, destination updates, team changes
Admin actionsUser management, security settings

Log Retention

  • Standard: 90 days retention
  • Enterprise: Configurable retention, SIEM integration

Accessing Audit Logs

Navigate to Settings → Audit Log to view activity:
  • Filter by user, action type, date range
  • Export to CSV
  • API access for SIEM integration (Enterprise)

Infrastructure Security

Cloud Provider

AnomalyArmor runs on AWS with:
  • Multi-AZ deployment for high availability
  • Automated backups with point-in-time recovery
  • DDoS protection via AWS Shield
  • Web Application Firewall (WAF)

Host Security

  • Hardened AMIs with minimal attack surface
  • Automatic security patching
  • No SSH access to production hosts
  • Immutable infrastructure (replaced, not updated)

Container Security

  • Non-root container execution
  • Read-only file systems where possible
  • Resource limits enforced
  • Regular vulnerability scanning

Incident Response

Our Commitment

In the event of a security incident:
  1. Detection: 24/7 monitoring with automated alerting
  2. Response: Incident response team engaged within 1 hour
  3. Communication: Affected customers notified within 24 hours
  4. Resolution: Root cause analysis and remediation
  5. Post-mortem: Detailed report shared with affected customers

Reporting Security Issues

If you discover a security vulnerability:
Please do not disclose security issues publicly until we’ve had a chance to address them.

Penetration Testing

Our Testing

  • Annual third-party penetration tests
  • Continuous automated vulnerability scanning
  • Bug bounty program for responsible disclosure

Your Testing

Enterprise customers may conduct penetration testing:
  1. Contact us at least 2 weeks in advance
  2. Scope limited to your tenant
  3. Provide test dates and methodology
  4. Share findings for mutual benefit

Security FAQ

No. Employees cannot access customer credentials or metadata. All access is logged and audited. Support debugging happens with synthetic data only.
Your database credentials are encrypted with customer-specific keys. Even in a breach, credentials cannot be decrypted without the KMS keys. We would notify you within 24 hours of any confirmed breach.
Self-hosted deployments are available for Enterprise customers with specific compliance requirements. Contact sales for details.
  1. Delete the data source connection in AnomalyArmor
  2. Revoke the database user’s permissions or delete the user
  3. Remove AnomalyArmor IPs from your security group

Query Gateway

Open-source SQL security layer

Data Handling

What data we access and how we handle it

Data Retention

How long we keep your data