Security

Last updated October 31, 2024

At Alvas.ai, security is our absolute highest priority. In the spirit of openness and transparency, here are some of the security measures we take to protect and defend the Alvas.ai platform.

Your users’ data never leaves our servers

We distinguish between data about your users and data about you, yourself. While, for example, your billing information is shared with Stripe, and your profile is accessible to us in our help desk software, any data about your users are never shared with any external providers, and never leaves our server cluster hosted with Amazon Web Services.

Encrypting data in transit

Whenever your data is in transit between you (or your users) and us, everything is encrypted, and sent using HTTPS.

During a user agent’s (typically a web browser) first site visit, Alas.ai sends a Strict Transport Security Header (HSTS) to the user agent that ensures that all future requests should be made via HTTPS even if a link to Alvas.ai is specified as HTTP. Additionally, we use HSTS preload, guaranteeing that requests are never – not even the very first – made over a non-encrypted connection. Cookies are also set with a secure flag.

Encrypting data at rest

Any data that you upload, provide, or share with us is stored and is encrypted at rest.
Our backups of your data are likewise encrypted

Hosted on Amazon Web Services

Alvas.ai is hosted on Amazon Web Services. Our database is managed by Supabase, ensuring redundancy, high availability and trustworthy automated, encrypted backups.

Concurrency and rate limiting

We employ several layers to protect against abuse and DoS attacks, such as concurrency limiting (limits number of active requests) and rate limiting (limits number of requests over time). Our servers gracefully queue requests when under high load, and handles them at a safe pace.

Organizational practices

  • We operate under the principle of least privilege: Employees are assigned the lowest level of access that allows them to do their work.
  • Two-factor authentication is enforced in all sensitive systems.
  • All employees are required to use approved password managers (like Lastpass or 1Password) to generate and store strong passwords that are never reused.
  • All employees are required to encrypt local hard drives and enable screen locking for device security.
  • All access to application admin functionalities is restricted to a small subset of Alvas.ai staff.
  • We never store customer data on personal devices (like laptops).

Development practices

  • All code changes are thoroughly tested through our Continuous Integration software.
  • All code changes is tested in a staging environment before deploying to production.
  • We use several tools and services to automatically monitor uptime and site availability. Key employees receive automatic email and SMS notifications in the case of downtime or emergencies.

Regularly-updated infrastructure

Our software infrastructure is updated regularly with the latest security patches. Our products run on a dedicated network which is locked down with firewalls and carefully monitored.

We protect your billing information

All credit card transactions are processed via Stripe using secure encryption—the same level of encryption used by leading banks. Card information is transmitted, stored, and processed securely on a PCI-Compliant network

We protect your billing information

Have you noticed abuse, misuse, an exploit, or experienced an incident with your account? Send urgent or sensitive reports directly to legal@alvas.ai. We’ll get back to you as soon as we can, usually within 24 hours. Please follow up if you don’t hear back

Keeping customer data safe and secure is a huge responsibility and a top priority. We work hard to protect our customers from the latest threats. Your input and feedback on our security is always appreciated.