Trust & Security
How we handle your data, what we've attested to, and how to reach us for security questions.
Audit underway with a third-party assessor. Target completion Q3 2026. Gap assessment complete; remediation in progress across all five Trust Services Criteria.
Data subject rights honored within 30 days. DPA available on request for customers with EU data subjects. EU data residency roadmap: Q4 2026.
California residents can request data export or deletion via privacy@securityalert.ai.
Standard DPA with SCCs signed on request for Business and Enterprise customers. Email legal@securityalert.ai.
Infrastructure
- Hosted on Microsoft Azure in the eastus2 region on hardened Ubuntu 24.04 LTS. Azure itself is SOC 2, ISO 27001, and HIPAA attested.
- PostgreSQL 16 with encrypted backups, daily point-in-time recovery, and per-tenant row-level isolation for multi-tenant data.
- TLS 1.3 enforced on all public endpoints. HSTS preloaded. Strict CAA policy restricting certificate issuance to Let's Encrypt.
- Nginx with rate limiting, IP blocklisting, and bot filtering on public endpoints.
- Secrets are stored in a protected environment file (0600, root-only read) outside the application directory. No credentials in source control.
Authentication & access
- Auth0 handles all customer authentication, RS256 signed JWTs with audience + issuer + expiry validation on every request.
- SSO (SAML/OIDC) available on Enterprise plans.
- API keys are generated via
random_bytes()and stored as bcrypt hashes. Keys are scoped per organisation and can be revoked instantly. - RBAC: team membership is enforced at the query layer, teams cannot read each other's monitors, incidents, or brand findings.
- Audit logs for privileged actions are retained for 90 days and exportable for SOC 2 preparation (Enterprise tier).
Data handling
- What we collect: your monitor configurations, incident records, brand domains you ask us to monitor, alert preferences, and the results of our checks. We do not sell data.
- What we don't collect: we do not proxy your application traffic. We do not deploy agents inside your infrastructure. We only touch URLs and domains you explicitly configure.
- Retention: incident and check-result data retained per your plan (90 days Pro, 1 year Business, 2 years Enterprise). Audit logs 90 days.
- Deletion: account deletion removes all tenant data within 30 days. Backups are rotated within 35 days.
- No PII in logs: HTTP logs are scrubbed of query strings and body content before rotation.
Vulnerability disclosure
We welcome responsible disclosure. Report vulnerabilities to security@securityalert.ai. We commit to acknowledging reports within 48 hours and a public advisory after remediation. Safe-harbour extended to good-faith research that avoids customer data access and does not degrade service.
PGP key and security.txt available at /.well-known/security.txt.
Incident transparency
We publish our own operational status at status.servicealert.ai and run a public changelog for all product changes. Security-relevant incidents affecting customer data are disclosed to affected customers within 72 hours.
Subprocessors
- Microsoft Azure, infrastructure hosting (eastus2)
- Auth0 / Okta, authentication
- Stripe, billing
- Postmark, transactional email
- Twilio, SMS alerts
- Cloudflare, DNS and DDoS protection
Full subprocessor list with purpose, data categories, and locations available in the DPA. Material changes notified to customers 30 days in advance.
Questions
Security questionnaires, SOC 2 bridge letters (post-attestation), penetration test summaries, and architecture diagrams available under NDA. Email security@securityalert.ai.
Last updated: 16 April 2026