> ## Documentation Index
> Fetch the complete documentation index at: https://docs.antei.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Data Security

> Learn how Antei secures your data at rest and in transit, with strict access controls and encryption standards.

<Icon icon="database" size={26} color="#4B5563" />

# Data Security

Antei handles sensitive financial and compliance data for global tax operations. We apply security measures that ensure data is protected during transit, at rest, and during processing — without overextending access or exposing credentials.

***

## Encryption

* **In Transit:** All data is transmitted securely over HTTPS (TLS 1.2 or higher)
* **At Rest:** Sensitive data is stored in encrypted databases or object storage (e.g., Cloudflare R2, Xano storage)
* **API Tokens:** All OAuth and session tokens are encrypted and stored securely — never exposed in plaintext or passed via query strings

***

## Scoped Access

* **OAuth 2.0:** All third-party integrations (e.g., Stripe, QuickBooks, Gmail) use scoped OAuth flows
* **Role-Based Permissions:** Retool and Xano enforce workspace- and org-level role control
* **No Credential Storage:** We do not store usernames or passwords for external systems — only scoped tokens where needed

***

## Data Isolation

* **Org-Level Segregation:** Each customer's data is scoped and stored per organization
* **Token Scoping:** Each integration is bound to a specific org and permission level
* **Xano Authorization Middleware:** Ensures only valid sessions with scoped org-level tokens can access resources

***

## Storage Providers

* **Cloudflare R2** is used for secure, encrypted document and logo storage
* **Xano** handles core transactional and configuration data in an encrypted database environment
* Neither Xano nor Cloudflare R2 allows public or unauthenticated access

***

## Logging & Activity Trails

* Key syncs, data fetches, webhook events, and background jobs are logged with org ID, timestamp, and relevant context
* Logs are available internally and used for audit investigations or debug workflows
* Session expiry and revocation are enforced via background clean-up workers

***

## What We Don’t Do (Yet)

* No full intrusion detection system (IDS)
* No third-party bug bounty program
* No manual pen tests (yet)

These are on our long-term roadmap and will be added once implemented.

***

## Questions?

To request data handling details or security documentation, contact [security@antei.com](mailto:security@antei.com).
