Security

Data in Transit

All communication between your browser and the Ananas GDS platform — as well as between the platform and any API consumer — uses HTTPS (TLS 1.2 or higher). Unencrypted HTTP connections are not accepted and are automatically redirected to HTTPS.

API responses are transmitted over encrypted channels. Image delivery via CDN is also served exclusively over HTTPS.

Data at Rest & Storage

Structured Data (Text & Metadata)

• Stored in a secured relational database (MariaDB) on Ananas GDS servers.
• Regular automated backups with multiple storage points.
• RAID disk configuration to prevent data loss from hardware failure.
• Asset access data is hashed during both upload and download.

Image Data

• High-resolution images stored in cloud object storage, separate from application servers.
• Automatic backup to a secondary protected location.
• Images are accessed only via hashed, non-guessable URLs — the storage path itself is never public.
• Metadata for each image is stored on application servers and linked to the image via secure hashing.

Image URLs in API responses and widget embeds are hashed and access-controlled. Even if someone intercepts an image URL, the platform verifies whether the requesting domain or token has permission to access it before serving the image.

Access Control

Account Level

• Each account is isolated. You cannot access another company’s data without an accepted partnership contract.
• Admin accounts have full access to their own data only.
• Sub-users (Authorized Users) are limited to the role and properties assigned to them by the admin.

Partnership Level

• Data access between companies requires a mutually accepted contract.
• Each contract defines specifically which properties and which data types (facts, photos, availability) are accessible.
• API tokens are scoped to the contract — they cannot access data outside the contract terms.
• When a contract expires or is cancelled, access is automatically revoked.

API Level

• All API endpoints require a valid token for access.
• Widget tokens are additionally domain-locked — they only respond to requests from the whitelisted domain.
• Rate limiting is applied to prevent abuse.

API & Token Security

Best Practices for Token Handling

• Never expose tokens in frontend code. Browser-based JavaScript is visible to anyone. Use tokens in server-side code only (Node.js, Python, PHP, etc.).
• Do not commit tokens to version control. Use environment variables or a secrets manager.
• Rotate tokens if compromised. Contact support to invalidate a token and generate a new one for the affected contract.
• Use the minimal access principle. If a contract only needs stop sale data, ensure the contract’s data permissions reflect that — do not grant unnecessary facts or photo access.

Domain Whitelisting

The platform enforces domain whitelisting for widget tokens. API requests made from a domain not authorized for a given token will receive a 403 Forbidden response. This prevents unauthorized third-party sites from embedding your property data.

Image Security

• Images are never stored at predictable or enumerable public URLs.
• Each image URL is generated using cryptographic hashing tied to the property, image, and access configuration.
• URLs are validated on every request — the server checks both the token/domain and the URL hash before serving.
• Images uploaded to Ananas GDS are stored only for authorized use within the platform and via contracted API access. They are not indexed by search engines.

Image Security

• Images are never stored at predictable or enumerable public URLs.
• Each image URL is generated using cryptographic hashing tied to the property, image, and access configuration.
• URLs are validated on every request — the server checks both the token/domain and the URL hash before serving.
• Images uploaded to Ananas GDS are stored only for authorized use within the platform and via contracted API access. They are not indexed by search engines.

Account Security

Password Requirements

• Minimum 8 characters
• At least one number
• At least one special character

Two-Factor Authentication (2FA)

2FA support is currently in development and will be available in an upcoming release. When launched, 2FA will be available via authenticator app (TOTP), optional for all accounts, and mandatory for admin accounts on Premium plans.

Session Management

• Sessions expire after a period of inactivity.
• Logging out invalidates the session token server-side — not just client-side.
• Suspicious login activity (multiple failed attempts, login from a new geography) triggers an account lock and email notification.

Account Verification

The Ananas GDS team manually verifies company information for all new registrations. Accounts flagged as potentially fraudulent or impersonating another company may be suspended pending further review. Verification status is shown in your Company Details settings.