// Trust & Security Report

    Ankitects Pty Ltd logo

    Ankitects Pty Ltd

    Anki is a free, open-source spaced-repetition flashcard application with AnkiWeb, a free companion synchronization service. Available on desktop (Windows, macOS, Linux) and mobile (AnkiMobile for iOS, AnkiDroid for Android).

    Certifications held

    0

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 11 unconfirmed / not-held certifications
    SOC 2 (Type 1 or 2)
    NOT CONFIRMED

    no public evidence of SOC 2 certification found on AnkiWeb or vendor domains

    source: ankiweb.net
    ISO 27001
    NOT CONFIRMED

    no public evidence of ISO 27001 certification found on AnkiWeb or vendor domains

    source: ankiweb.net
    GDPR Compliance Certification
    NOT CONFIRMED

    Privacy policy describes GDPR-compliant data handling practices but no formal GDPR certification or compliance badge mentioned; GDPR is a regulation, not a certification

    source: ankiweb.net
    HIPAA
    NOT CONFIRMED

    no public evidence of HIPAA compliance; AnkiWeb is a learning tool, not a healthcare/medical records system

    source: ankiweb.net
    PCI DSS
    NOT CONFIRMED

    no public evidence of PCI DSS certification; AnkiWeb does not accept credit cards directly for paid services

    source: ankiweb.net
    ISO 27017 (Cloud-specific Information Security)
    NOT CONFIRMED

    no public evidence of ISO 27017 certification

    source: ankiweb.net
    ISO 27018 (PII Protection in Cloud)
    NOT CONFIRMED

    no public evidence of ISO 27018 certification

    source: ankiweb.net
    ISO 27701 (Privacy Information Management)
    NOT CONFIRMED

    no public evidence of ISO 27701 certification

    source: ankiweb.net
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    no public evidence of ISO 42001 certification; Anki is a flashcard app without generative AI features

    source: ankiweb.net
    CSA STAR Certification
    NOT CONFIRMED

    no public evidence of CSA STAR certification

    source: ankiweb.net
    FedRAMP
    NOT CONFIRMED

    no public evidence of FedRAMP authorization

    source: ankiweb.net

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    EU and USA data centers; portions cached via CDN globally

    Anki is a spaced-repetition flashcard learning tool, not a generative AI system. It does not use customer flashcard data to train AI models. Third-party add-ons may integrate with external AI services (e.g., ChatGPT-powered card generators), but AnkiWeb core service does not train on customer data.

    // Security controls

    Encryption in Transit

    HTTPS/TLS for all data synchronization between Anki clients and AnkiWeb

    forums.ankiweb.net

    Encryption at Rest

    No public documentation on encryption at rest for stored flashcards on AnkiWeb servers

    ankiweb.net

    Access Logs Retention

    Access logs retained for 1 month for security and diagnostics, then automatically deleted

    ankiweb.net

    Password Security

    Account security depends on user password strength; AnkiWeb recommends not reusing passwords across sites

    ankiweb.net

    JavaScript Sandboxing

    Limited interface between card JavaScript and Anki internals; arbitrary code execution outside webview unlikely. AnkiWeb uses separate ankiuser.net domain to isolate card content from main site endpoints

    github.com

    Data Privacy Default

    Flashcards and media are private by default; only shared if user explicitly enables sharing

    ankiweb.net

    Data Retention Policy

    Accounts inactive for 6+ months are marked for deletion; user receives email notification with 30-day grace period to reactivate

    faqs.ankiweb.net

    Vulnerability Disclosure Program

    No bug bounty program. Security issues can be reported privately via GitHub security advisory or private message to support

    github.com

    // Products & data scope

    Anki DesktopLearning / Flashcard Application

    data: Offline desktop application; optionally syncs to AnkiWeb for multi-device access

    Open-source (GitHub: ankitects/anki); free desktop application for Windows, macOS, Linux; handles multimedia (images, audio, video, LaTeX). Can be self-hosted via anki-sync-server (AGPLv3).

    AnkiWebCloud Synchronization Service

    data: Free online synchronization service for flashcards; optional web-based review interface at ankiweb.net

    Proprietary (not open-source); free service with no premium tier; hosted on EU and USA data centers with CDN caching. Supports 6-month inactivity cleanup to manage costs.

    AnkiMobile (iOS)Mobile Learning Application

    data: Official iOS app; syncs with AnkiWeb or self-hosted sync server

    Paid app ($24.99 USD); revenue funds Anki development; full feature parity with desktop Anki

    AnkiDroid (Android)Mobile Learning Application

    data: Free and open-source Android app; syncs with AnkiWeb or self-hosted sync server

    Community-maintained open-source project; available on F-Droid and Google Play; free to use

    // What to watch

    • STARTUP_MATURITY: AnkiWeb is a free, community-driven service with no SOC 2, ISO 27001, or other formal compliance certifications. This is typical for learning tools but limits enterprise adoption.
    • NO_DPA: No public Data Processing Agreement documented. Vendors processing EU resident data under GDPR should provide a DPA; AnkiWeb's privacy policy addresses GDPR-compliant processing but lacks formal DPA.
    • ENCRYPTION_AT_REST_UNDOCUMENTED: AnkiWeb's privacy policy confirms HTTPS for transit but does not publicly document encryption at rest for stored flashcards. Gap-fill search found no evidence of AES-256 or equivalent.
    • SECURITY_VULNERABILITY_HISTORY: Researchers documented 0-day remote code execution vulnerabilities exploiting JavaScript in shared decks (2024). However, no documented real-world exploits in Anki's 16-year history. Desktop app has mitigations (domain separation, limited JS interface).
    • LACK_OF_BUG_BOUNTY: No formal bug bounty program; security reports only via private channels. Typical for smaller projects but limits researcher incentives for responsible disclosure.
    • FREE_SERVICE_LIMITATION: AnkiWeb is free and may terminate/delete inactive accounts after 6 months. Users should understand service continuity is not guaranteed and maintain local backups.
    • NO_TRUST_CENTER: AnkiWeb has no dedicated trust center or security documentation portal, unlike enterprise SaaS vendors. Security info scattered across privacy policy, GitHub SECURITY.md, and forums.

    // At a glance

    Pricing model

    Freemium: Core Anki and AnkiWeb are free; AnkiMobile (iOS) is paid (~$24.99 USD); AnkiDroid is free open-source

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Ankitects Pty Ltd's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    ankiweb.net

    > Browse all vendor trust reports