May rollout: REST API v1, brand-asset visual matching, malvertising detection, $79 Solo tier, no-card 14-day trial. See what shipped
Search threats, CVEs, actors… ⌘K Open dashboard

Trust & Security

How we handle your data, what we've attested to, and how to reach us for security questions.

SOC 2 Type II
In Progress

Audit underway with a third-party assessor. Target completion Q3 2026. Gap assessment complete; remediation in progress across all five Trust Services Criteria.

GDPR
Compliant

Data subject rights honored within 30 days. DPA available on request for customers with EU data subjects. EU data residency roadmap: Q4 2026.

CCPA
Compliant

California residents can request data export or deletion via privacy@securityalert.ai.

Data Processing Addendum
Available

Standard DPA with SCCs signed on request for Business and Enterprise customers. Email legal@securityalert.ai.

Infrastructure

  • Hosted on Microsoft Azure in the eastus2 region on hardened Ubuntu 24.04 LTS. Azure itself is SOC 2, ISO 27001, and HIPAA attested.
  • PostgreSQL 16 with encrypted backups, daily point-in-time recovery, and per-tenant row-level isolation for multi-tenant data.
  • TLS 1.3 enforced on all public endpoints. HSTS preloaded. Strict CAA policy restricting certificate issuance to Let's Encrypt.
  • Nginx with rate limiting, IP blocklisting, and bot filtering on public endpoints.
  • Secrets are stored in a protected environment file (0600, root-only read) outside the application directory. No credentials in source control.

Authentication & access

  • Auth0 handles all customer authentication, RS256 signed JWTs with audience + issuer + expiry validation on every request.
  • SSO (SAML/OIDC) available on Enterprise plans.
  • API keys are generated via random_bytes() and stored as bcrypt hashes. Keys are scoped per organisation and can be revoked instantly.
  • RBAC: team membership is enforced at the query layer, teams cannot read each other's monitors, incidents, or brand findings.
  • Audit logs for privileged actions are retained for 90 days and exportable for SOC 2 preparation (Enterprise tier).

Data handling

  • What we collect: your monitor configurations, incident records, brand domains you ask us to monitor, alert preferences, and the results of our checks. We do not sell data.
  • What we don't collect: we do not proxy your application traffic. We do not deploy agents inside your infrastructure. We only touch URLs and domains you explicitly configure.
  • Retention: incident and check-result data retained per your plan (90 days Pro, 1 year Business, 2 years Enterprise). Audit logs 90 days.
  • Deletion: account deletion removes all tenant data within 30 days. Backups are rotated within 35 days.
  • No PII in logs: HTTP logs are scrubbed of query strings and body content before rotation.

Vulnerability disclosure

We welcome responsible disclosure. Report vulnerabilities to security@securityalert.ai. We commit to acknowledging reports within 48 hours and a public advisory after remediation. Safe-harbour extended to good-faith research that avoids customer data access and does not degrade service.

PGP key and security.txt available at /.well-known/security.txt.

Incident transparency

We publish our own operational status at status.servicealert.ai and run a public changelog for all product changes. Security-relevant incidents affecting customer data are disclosed to affected customers within 72 hours.

Subprocessors

  • Microsoft Azure, infrastructure hosting (eastus2)
  • Auth0 / Okta, authentication
  • Stripe, billing
  • Postmark, transactional email
  • Twilio, SMS alerts
  • Cloudflare, DNS and DDoS protection

Full subprocessor list with purpose, data categories, and locations available in the DPA. Material changes notified to customers 30 days in advance.

Questions

Security questionnaires, SOC 2 bridge letters (post-attestation), penetration test summaries, and architecture diagrams available under NDA. Email security@securityalert.ai.

Last updated: 16 April 2026