Skip to main content

Data Protection

How Anton handles PII tokenization, PCI compliance, and encryption at rest to protect sensitive data.

Written by Ryan O
Updated today

Overview

Anton Payments is built with data protection as a foundational requirement, not an afterthought. Sensitive data -- including personally identifiable information (PII) and payment card data -- is protected through tokenization, encryption, and strict access controls throughout the platform.

PII Tokenization

Anton uses Basis Theory, a certified PCI Level 1 tokenization provider, to isolate all sensitive data from the core platform database. This means:

  • No raw PII in Anton's database -- When you create a payee with personal details (name, address, identity documents), the sensitive fields are sent directly to Basis Theory's secure vault. Anton's database stores only token references, not the actual data.

  • Per-merchant isolation -- Each merchant's tokenized data is isolated in a separate vault scope. One merchant cannot access another merchant's data, even at the token reference level.

  • Transparent to you -- The tokenization process is handled automatically by Anton's API. You send data normally, and Anton manages the tokenization behind the scenes. When you retrieve payee data, the detokenized values are returned seamlessly.

Payment Card Data

For merchants who process card-funded payouts, card data (PANs, CVVs, expiration dates) receives the highest level of protection:

  • Card data is tokenized immediately upon receipt using a dedicated card vault

  • Raw card data never touches Anton's core infrastructure

  • All card operations are handled through Basis Theory's PCI-certified environment

  • Anton's systems only interact with non-sensitive token references

Encryption at Rest

All data stored by Anton is encrypted at rest:

  • Database encryption -- The PostgreSQL database uses AES-256 encryption for all data at rest, managed by the cloud provider's encryption service

  • File storage encryption -- Documents uploaded during onboarding (KYB documents, identity verification) are encrypted using AES-256 in cloud storage

  • Backup encryption -- All database backups and snapshots are encrypted with the same standards as the primary data

Encryption in Transit

All data in transit is protected:

  • The API enforces TLS 1.2 or higher on all connections

  • Non-TLS connections are rejected

  • Webhook deliveries are sent over HTTPS

  • Internal service communication uses encrypted channels

Access Controls

Anton enforces strict access controls to limit who can view and act on sensitive data:

  • Role-based access -- Internal operations use 8 distinct roles with different permission levels. Each role has access only to the data and actions required for its function.

  • API key isolation -- Each merchant's API keys can only access that merchant's data. There is no cross-merchant data access.

  • Audit trails -- All data access and modifications are logged with who performed the action, what was accessed, and when.

Compliance Standards

Anton's data protection practices are aligned with industry standards:

  • PCI DSS -- Card data handling follows PCI Data Security Standards, with tokenization through a PCI Level 1 certified provider

  • SOC 2 -- Controls are designed to meet SOC 2 Trust Services Criteria for security, availability, and confidentiality

  • ISO 27001 -- Information security management practices align with ISO 27001 Annex A controls

Your Responsibilities

While Anton protects data within the platform, you are responsible for:

  • Securing your API keys and not exposing them

  • Not logging sensitive data (payee bank details, PII) in your own systems

  • Ensuring your webhook endpoint is secured with HTTPS and signature verification

  • Following data protection regulations applicable to your jurisdiction (GDPR, CCPA, etc.)

Did this answer your question?