Security Overview
Security is foundational to AlertifyPro. We monitor your systems — you should be able to trust us with that responsibility.
Certifications & compliance
| Standard | Status |
|---|---|
| SOC 2 Type II | ✅ Certified — audited annually |
| GDPR | ✅ Compliant — DPA available |
| ISO 27001 | ✅ Certified |
| HIPAA | ✅ Available on Enterprise (BAA required) |
Data security
Encryption
- Data at rest — AES-256 encryption for all stored data
- Data in transit — TLS 1.3 minimum for all connections
- Database — Encrypted volumes, encrypted backups
- API keys — Stored as bcrypt hashes, never retrievable in plain text
Data isolation
- Each customer's data is strictly isolated at the database and application layer
- Multi-tenant architecture with row-level security in PostgreSQL
- No customer can access another customer's data
Backups
- Automated daily backups with 30-day retention
- Point-in-time recovery available on Enterprise
- Backups are encrypted and stored in a separate region
Application security
Authentication
- Passwords hashed with bcrypt (cost factor 12)
- Two-factor authentication (TOTP) available on all plans
- 2FA enforced organization-wide on Enterprise
- Session tokens rotate on every login
API security
- API keys are scoped to specific permissions
- All API requests require HTTPS
- Rate limiting on all endpoints
- Suspicious activity triggers automatic key suspension
Penetration testing
AlertifyPro hires independent security firms for annual penetration testing. Summary reports are available to Enterprise customers on request.
Infrastructure security
| Layer | Measure |
|---|---|
| Network | VPC with private subnets, no direct internet access to databases |
| Access | Zero-trust network access (ZTNA), no SSH keys distributed |
| Monitoring | 24/7 intrusion detection and anomaly alerting |
| Patching | Critical patches applied within 24 hours |
| Secrets | All secrets managed via HashiCorp Vault |
Responsible disclosure
Found a security vulnerability? Please report it privately:
- 📧 Email: [email protected]
- 🔐 PGP key: Download
We aim to:
- Acknowledge reports within 24 hours
- Provide a status update within 3 business days
- Fix critical issues within 7 days
We do not pursue legal action against researchers who follow responsible disclosure.