AnchorTrust Center

Client Portal — Security & Privacy

How Anchor secures the client portal, what data it shows you, where that data is stored, and the privacy controls that apply — written for the client security and IT reviewers who approve the portal for use.

Version 1.0 · Last updated June 12, 2026 · Reflects the live portal implementation

Passwordless sign-in

Access is by a private, single-use link emailed to each contact — no portal password to reuse or steal.

One project per portal

Every portal is filtered, on the server, to a single engagement. It can never return another client's data.

Encrypted in transit

All traffic is HTTPS/TLS with HTTP Strict Transport Security and standard browser-hardening headers.

Least privilege by design

You see only what your delivery team publishes. Internal notes, pricing, and raw transcripts are withheld.

1. At a Glance

The Anchor client portal is a secure, read-mostly window your delivery team opens onto your own project. You reach it at a private link (for example, anchor-hq.dev/c/your-project). It shows your project's status, meetings, documents, and contacts, and gives you a place to raise support tickets — and it shows nothing from anyone else's project.

Passwordless sign-in: access is by a private, single-use link emailed to you — there is no portal password to create, reuse, or have stolen.
One project per portal: each portal is wired to a single engagement and is filtered, on the server, so it can never return another client's data.
Encrypted everywhere in transit: all portal traffic is served over HTTPS/TLS with HTTP Strict Transport Security (HSTS).
Least privilege by design: you only see what your delivery team chooses to publish. Internal notes, pricing, staffing, and raw meeting transcripts are withheld.
Established US cloud providers: data is hosted on Vercel and Supabase, with a short, defined list of sub-processors (Section 8).

This document covers the client portal specifically. For the platform-wide privacy policy and terms of service, see anchor-hq.dev/privacy and anchor-hq.dev/terms.

2. How You Sign In (Authentication)

2.1 Passwordless, link-based sign-in

An authorized member of your delivery team sends each named contact a personal sign-in link by email (from noreply@anchor-hq.dev).
The link carries a 256-bit (32-byte) cryptographically random token. That token is the entire credential — there is no password to choose or remember.
Clicking the link signs you in, and the token is immediately stripped from the browser address bar so it does not linger in history or screenshots.
Lost your link? You can request a fresh one from the sign-in screen by entering your email. For privacy, the response is identical whether or not that email has access, so no one can use the form to discover who is invited.

2.2 How the sign-in link is protected

The raw token is never stored in our database. We store only a salted PBKDF2-HMAC-SHA256 hash of it (100,000 iterations, 16-byte random salt, 256-bit output).
Sign-in links expire 30 days after they are issued, and are rotated (regenerated) every time a new one is sent.
Your delivery team can revoke a contact's access at any time, which prevents any new sign-in with that link.
Sign-in is rate-limited to 5 attempts per 15 minutes per source IP, and the "email me a link" function to 3 per 15 minutes, to resist automated guessing.

2.3 Your session

A successful sign-in creates a short-lived session that lasts 24 hours, delivered as a signed, HTTP-only cookie — inaccessible to page JavaScript, marked Secure over HTTPS, and SameSite=Lax.
Sessions are scoped to one portal: a session for your portal cannot read any other portal.
Access can be restricted to specifically invited contacts, or to approved email domains. In both cases sign-in is link- and identity-based — never a shared password.

Portal sessions are intentionally short-lived (24 hours) and self-expire. Revoking a contact's invite stops all future sign-ins immediately. For an instant cut-off of an open session, your delivery team can disable the portal.

3. What You See — and What You Don't

Each portal is bound one-to-one to a single project ("implementation") inside your account. Every panel is filtered on the server to that one project, so a portal can only ever return that project's data.

3.1 What the portal can show

Project overview and milestone/delivery dates, plus a task-count progress bar
Hours and capacity for the engagement
Change requests
A Meeting Log with plain-language recaps, and your next scheduled meeting
Your delivery-team contacts
Knowledge-base quick links and help articles
Announcements
A support ticket desk (raise, reply, and track tickets)
Product roadmap items marked client-visible
Downloadable project documents (for example, signed project-initiation and blueprint documents)
An optional satisfaction (NPS) survey

Your delivery team turns each of these on or off per portal — you only see the panels they publish.

3.2 What is deliberately withheld

Internal meeting notes, sentiment, pricing/margin, and staffing commentary — the portal shows a separate, client-facing recap, never the internal write-up
Raw meeting transcripts and recording links
Internal-only AI narratives and risk scoring
Dollar figures (budgets, cost estimates) unless your team explicitly chooses to share them
Internal roadmap items and any internal service-level configuration

3.3 Isolation between contacts and organizations

Support tickets are scoped to your own organization/account. On a portal shared by several customer organizations, one organization cannot see another's tickets.
By default, each person sees only their own tickets. A team can opt to let colleagues in the same account see shared tickets — but visibility never extends beyond that account.
Document downloads are streamed through an authenticated Anchor endpoint; we never hand your browser a raw storage URL, and downloads are sent with private, no-store caching.

3.4 Staff "view as client" preview

Your delivery team can preview the portal exactly as you would see it. This view-as-client mode is only available to authenticated Anchor users who belong to the organization that owns the portal — it cannot be triggered by an anonymous visitor or by anyone outside your engagement.

4. Encryption & Connection Security

4.1 In transit

All portal traffic is served exclusively over HTTPS (TLS).
Responses carry HTTP Strict Transport Security (max-age one year, includeSubDomains, preload), so compliant browsers refuse to connect over plain HTTP.
Anti-clickjacking is enforced with X-Frame-Options: DENY (the portal cannot be embedded in a frame), alongside X-Content-Type-Options: nosniff and Referrer-Policy: strict-origin-when-cross-origin.
A Permissions-Policy disables the camera, microphone, geolocation, and payment browser APIs for portal pages.

4.2 At rest

Portal data is stored in a managed PostgreSQL database (Supabase, running on AWS in the United States) and in managed file storage (Vercel Blob). Encryption at rest is provided by these infrastructure providers.
Credentials used to connect Anchor to third-party services your team integrates (for example Jira, Slack, or Confluence) are encrypted by the application with AES-256-GCM authenticated encryption before storage, using a 256-bit key held only in protected environment configuration.

Anchor applies its own application-layer AES-256-GCM encryption specifically to third-party integration secrets. This is separate from the portal's own sign-in. Other stored data relies on the encryption-at-rest provided by our database and storage providers rather than additional application-layer field encryption.

4.3 File downloads and uploads

Downloadable documents are fetched server-side and streamed to you only after your portal session is verified; the underlying storage URLs are randomized and are never exposed to your browser.
Uploads are limited to 25 MB and to a fixed allow-list of file types.

5. Access Logging & Monitoring

Every portal sign-in — successful or failed — is written to an audit log capturing the email, source IP address, and outcome (for example: expired link, invalid link, or access denied).
Successful sign-ins additionally record a session entry with IP address and browser user-agent.
Audit records are retained for 365 days.
Application errors are monitored via Sentry, configured to scrub credentials and tokens from error reports.

Audit logging is best-effort: a logging failure is recorded internally but never blocks your access. Rate-limit enforcement depends on the availability of our caching backend.

6. Architecture & Tenant Isolation

The portal runs as part of a single multi-tenant application. Every request resolves one portal by its unique link, then filters all data by that portal's project and organization identifiers.
Portal authentication is fully separate from the internal staff application: it uses its own session cookie and its own sign-in path. The internal app's Google sign-in is never exposed to portal visitors.
Real-time staff notifications (for example, when you submit a ticket) are delivered to your delivery team over a private internal channel. The portal itself opens no real-time socket in your browser.

7. Data Collected Through the Portal

Data category	Examples	Purpose
Contact identity	Name and email address of invited contacts	Grant and manage portal access
Session metadata	Email, IP address, browser user-agent, sign-in timestamps	Authenticate the session; security audit
Support tickets	Submitter name, email, title; subject, message, attachments	Operate the support desk
Ticket replies	Author name and email; message	Maintain the ticket conversation
Survey responses	0–10 score, optional free-text feedback, email and name	Measure satisfaction (when enabled)

Text typed into the portal's help search is not stored as raw text — only a one-way hash is kept, so usage can be measured without retaining what was asked.

Your organization is the data controller for the personal data of the contacts you invite; Anchor acts as your data processor. A GDPR Article 28 Data Processing Agreement is available on request (email support@anchor-hq.dev with the subject "DPA Request").

8. Sub-processors That Touch Portal Data

Sub-processor	Role	Portal data it handles
Vercel (US)	Application hosting, CDN, serverless compute, and file storage (Vercel Blob)	Serves all portal traffic; stores downloadable documents, ticket attachments, and logos
Supabase (AWS, US)	Managed PostgreSQL database	Stores all portal content and metadata
Upstash (US)	Redis — rate limiting	Sign-in and throttling counters (no portal content)
Resend	Transactional email	Delivers portal invite and survey emails, which contain the sign-in link
Anthropic (Claude)	AI sub-processor	Generates client-facing meeting recaps from meeting transcripts/summaries, when the Meeting Log is enabled
Pusher	Real-time messaging	Carries internal staff notifications when you submit a ticket (your browser does not subscribe to it)
Slack (optional)	Team messaging	Receives portal ticket content when your delivery team has connected Slack
Atlassian Jira (optional)	Issue tracking	Receives portal ticket content when a support project is connected
Sentry	Error monitoring	Application error diagnostics, with credentials and tokens scrubbed

Optional integrations (Slack, Jira) receive portal-originated ticket content only when your delivery team has connected them. Per Anthropic's API terms, data sent to Claude via the API is not used to train models and is retained only briefly for abuse monitoring. Provider compliance attestations (such as SOC 2) are maintained by each provider and available on request.

9. Meeting Recaps & AI

When the Meeting Log is enabled, Anchor uses Anthropic's Claude model to turn a meeting's transcript or recorder summary into a short, plain-language recap (summary, action items, and risks/decisions) for the portal.
The recap is generated once, in the background, and stored. Your browser never receives the raw transcript.
The system is instructed to exclude internal commentary — sentiment, pricing, staffing, and sales notes — from these client-facing recaps, and the output is schema-validated before it can appear.
If a portal's Meeting Log is turned off, no recap is generated or shown.

Automated recaps are an AI summarization of material your team already shares with you, not the official record. If you spot an inaccuracy, contact your delivery team.

10. Data Retention & Deletion

Data	Retention
Expired portal sessions	Permanently deleted 7 days after expiry (automated weekly cleanup)
Audit logs	365 days
Tickets, replies, survey responses, invite records	Retained for the life of the engagement; removed when the project/portal is deleted or on written request

Revoking a contact's access stops future sign-ins. To fully erase a contact's records, your delivery team can request deletion.
To request access, correction, export, or deletion of personal data held in a portal, contact your delivery team (the Anchor customer) or email support@anchor-hq.dev. Requests are handled within 30 days.

11. Your Responsibilities

Treat your sign-in link like a password — do not forward it. Anyone with the link can open your portal until it expires or is revoked.
Use a current, secure browser and sign in only from devices you trust.
Tell your delivery team promptly if you believe a link has been exposed, so they can revoke it.
Only upload files you are authorized to share.

12. Contact & Disclosure

Questions about portal security, a Data Processing Agreement request, or to report a vulnerability: email support@anchor-hq.dev.

This overview reflects the live implementation of the Anchor client portal as of the effective date above. It describes what is implemented today and is updated as the portal evolves.

Frequently Asked Questions

The questions security and IT teams most often ask before approving the portal.

How do clients log in? Are there passwords?

There are no portal passwords. Each contact receives a personal, single-use sign-in link by email. The link carries a 256-bit random token that is stored only as a salted PBKDF2-HMAC-SHA256 hash (100,000 iterations); the raw token is never written to our database. Links expire after 30 days, rotate on each send, can be revoked, and grant a 24-hour HTTP-only browser session. Sign-in is rate-limited to 5 attempts per 15 minutes per IP.

Can one client see another client's data?

No. Each portal is bound one-to-one to a single project, and every query is filtered server-side by that project and organization. Support tickets are further scoped to your own account, so even a portal shared by multiple customer organizations keeps each organization's tickets separate.

Is our data encrypted?

In transit: yes — all portal traffic is HTTPS/TLS with HTTP Strict Transport Security. At rest: portal data is stored in managed PostgreSQL (Supabase, AWS US) and managed file storage (Vercel), whose providers encrypt data at rest. In addition, third-party integration credentials are encrypted by Anchor with AES-256-GCM before storage.

Where is our data stored, and who are your sub-processors?

Primary infrastructure is US-based: Vercel (hosting, CDN, file storage), Supabase (PostgreSQL database, AWS us-west-2), and Upstash (rate limiting). Resend sends portal emails, Anthropic generates meeting recaps, Pusher carries internal notifications, and Sentry handles error monitoring. Slack and Jira receive portal ticket content only when your delivery team connects them. A full table is in the Security & Privacy Overview.

Does AI process our data?

Only to generate client-facing meeting recaps, using Anthropic's Claude model, and only when the Meeting Log is enabled. The relevant meeting transcript or summary is sent to Anthropic to produce a short recap; the raw transcript is never shown in the portal, and internal commentary is excluded from the recap. Per Anthropic's API terms, this data is not used to train models.

Is portal activity logged?

Yes. Every sign-in attempt — success or failure — is recorded to an audit log with the email, source IP, and outcome, and retained for 365 days. Successful sign-ins also store a session record with IP and browser user-agent.

How is access revoked?

Your delivery team can revoke a contact's sign-in link at any time, which blocks all future sign-ins. Sessions are short-lived (24 hours) and self-expire. For an immediate cut-off, the portal can be disabled outright.

What data do you collect about our people?

Contact name and email (to grant access); session email, IP, browser user-agent, and timestamps (to authenticate and audit); and any ticket or survey content your team submits. Text typed into the help search is stored only as a one-way hash, never as raw text.

How long is data kept, and can we delete it?

Expired sessions are permanently deleted 7 days after expiry; audit logs are kept for 365 days. Tickets, surveys, and invite records are retained for the life of the engagement and removed when the project/portal is deleted or on written request — handled within 30 days.

Do you offer a Data Processing Agreement (DPA)?

Yes — a GDPR Article 28 DPA is available on request (email support@anchor-hq.dev with the subject "DPA Request"). Your organization is the data controller for the contacts you invite; Anchor acts as your data processor.

Can your staff impersonate the portal?

Your delivery team can preview the portal as you would see it, but only when they are an authenticated member of the organization that owns your portal. An anonymous party, or anyone outside your engagement, cannot trigger this preview.

Is the portal isolated from your internal application?

Yes. The portal has its own sign-in path and its own session cookie, fully separate from the internal staff app. The internal app's Google sign-in is never exposed to portal visitors, and the portal opens no real-time socket in your browser.

Questions about portal security, a Data Processing Agreement request, or to report a vulnerability, email support@anchor-hq.dev.

See also our Privacy Policy and Terms of Service. This page reflects the live implementation of the Anchor client portal as of June 12, 2026.

← Back to home