Back to Home

Security

Security and data protection are at the core of everything we build. This page outlines our comprehensive approach to keeping your data safe.

Table of Contents

1. Infrastructure Security

1.1 Cloud Infrastructure

Ask Alfred is built on enterprise-grade cloud infrastructure:

  • Reliable Hosting: Hosted on industry-leading cloud platforms with 99.9% uptime SLA
  • Geographic Redundancy: Data replicated across multiple availability zones
  • Network Security: Firewalls, DDoS protection, and intrusion detection systems
  • Physical Security: Data centers with 24/7 monitoring, biometric access controls, and security personnel

1.2 Multi-Tenant Architecture

Your organization's data is completely isolated:

  • Tenant Isolation: Every database query is automatically scoped to your organization using unique tenant identifiers
  • Domain-Based Access: Each organization has its own subdomain (e.g., yourcompany.askalfred.ai)
  • No Cross-Contamination: Data from one organization never appears in another's search results or AI responses
  • Cascade Deletion: When data is deleted, all related records are automatically removed through database constraints

1.3 Database Security

  • Encryption at Rest: All database content is encrypted using industry-standard AES-256 encryption
  • Access Controls: Database access restricted to authorized services only
  • Prepared Statements: All queries use parameterized statements to prevent SQL injection
  • Automated Backups: Daily encrypted backups stored in geographically separate locations
  • Point-in-Time Recovery: Ability to restore data to any point within the retention period

1.4 Disaster Recovery

  • Backup Strategy: Multiple backup copies across different geographic regions
  • Recovery Time Objective (RTO): Service restoration within 4 hours of catastrophic failure
  • Recovery Point Objective (RPO): Data loss limited to last 24 hours maximum
  • Tested Procedures: Regular disaster recovery drills to ensure plan effectiveness

2. Data Protection

2.1 Encryption in Transit

  • HTTPS/TLS 1.3: All data transmitted over secure, encrypted connections
  • Certificate Pinning: Protection against man-in-the-middle attacks
  • Perfect Forward Secrecy: Session keys cannot be compromised even if server keys are
  • HSTS Enabled: Browsers forced to use secure connections only

2.2 Encryption at Rest

  • Database Encryption: AES-256 encryption for all stored data
  • File Storage: All uploaded files encrypted in secure storage
  • Secrets Management: API keys and credentials stored in encrypted vaults
  • Key Rotation: Encryption keys rotated according to security best practices

2.3 Password Security

  • Bcrypt Hashing: Passwords hashed using bcrypt with work factor of 12 (industry best practice)
  • Never Plain Text: Passwords are never stored in readable form
  • Secure Reset Flow: Password reset tokens expire after 60 minutes
  • Rate Limiting: Protection against brute force attacks on login and password reset

2.4 API Security

  • Token-Based Authentication: Laravel Sanctum tokens for secure API access
  • Token Scoping: API tokens limited to specific permissions and organizations
  • Device Tracking: Tokens associated with specific devices for audit trails
  • Revocation: Instant token revocation when users log out or change passwords

3. Access Controls

3.1 Role-Based Access Control (RBAC)

  • Granular Permissions: Control who can access which features and data
  • Least Privilege: Users granted only the minimum permissions needed
  • Custom Roles: Organizations can define role hierarchies and permissions
  • Permission Auditing: Track all permission changes and access attempts

3.2 Authentication

  • Email Verification: Required before account activation
  • Session Management: Automatic timeout after 2 hours of inactivity
  • Concurrent Session Control: Monitor and manage active sessions
  • Suspicious Activity Detection: Alerts for unusual login patterns

3.3 API Rate Limiting

  • Login Attempts: Limited to 6 per minute to prevent brute force attacks
  • Password Reset: 6 requests per minute maximum
  • Chat Messages: 30 requests per minute per user
  • General API: 60 requests per minute for all other endpoints

4. Compliance & Certifications

4.1 Current Compliance Status

SOC2-Ready Infrastructure GDPR-Compliant Practices Privacy by Design

SOC2-Ready Infrastructure: Our platform is architected with SOC2 compliance principles from the ground up:

  • Security controls aligned with SOC2 Trust Service Criteria
  • Audit logging and monitoring systems in place
  • Access controls and data isolation mechanisms
  • Encryption of data in transit and at rest
  • Formal audit process planned for enterprise growth phase

GDPR-Compliant Practices: We implement GDPR principles for all users:

  • Data minimization (collect only what's necessary)
  • Purpose limitation (use data only for stated purposes)
  • Right to access (users can view all their data)
  • Right to erasure (complete account and data deletion)
  • Right to portability (API access for data export)
  • Data processing agreements with third-party processors

4.2 Future Certifications

As we scale, we're committed to obtaining:

  • SOC2 Type I: Planned within the next 12 months as we onboard enterprise customers
  • SOC2 Type II: Annual audits to demonstrate sustained compliance
  • Penetration Testing: Regular third-party security assessments

4.3 Vendor Security

We carefully vet all third-party services:

  • Security and compliance documentation review
  • Data processing agreements (DPAs) with all processors
  • Regular security posture assessments
  • Incident notification requirements in contracts

5. Application Security

5.1 Secure Development Practices

  • Code Reviews: All code changes reviewed before deployment
  • Dependency Scanning: Automated scanning for vulnerable dependencies
  • Security Updates: Regular updates to framework and libraries
  • Version Control: Complete audit trail of all code changes

5.2 Input Validation & Sanitization

  • Server-Side Validation: All user input validated on the backend
  • Form Request Classes: Dedicated validation for every API endpoint
  • File Upload Security: Type, size, and content validation for all uploads
  • XSS Prevention: Automatic output escaping in templates

5.3 Protection Against Common Attacks

  • SQL Injection: Prevented through Eloquent ORM and prepared statements
  • Cross-Site Scripting (XSS): Automatic escaping of user-generated content
  • Cross-Site Request Forgery (CSRF): CSRF tokens on all state-changing requests
  • Clickjacking: X-Frame-Options headers prevent iframe embedding
  • Session Fixation: Session IDs regenerated on login

5.4 Secure Cookie Configuration

  • HTTP-Only: Cookies inaccessible to JavaScript (prevents XSS theft)
  • Secure Flag: Cookies transmitted only over HTTPS
  • SameSite: Protection against CSRF attacks
  • Short Lifetime: Session cookies expire after 2 hours of inactivity

6. Incident Response

6.1 Security Monitoring

  • Real-Time Logging: Comprehensive logging of all system events
  • Anomaly Detection: Automated alerts for suspicious patterns
  • Failed Login Tracking: Monitor and respond to brute force attempts
  • Error Monitoring: Immediate notification of application errors

6.2 Incident Detection & Response

In the event of a security incident, we follow a structured response process:

  1. Detection: Automated monitoring and manual security reviews
  2. Assessment: Determine scope, impact, and severity within 1 hour
  3. Containment: Isolate affected systems to prevent further damage
  4. Eradication: Remove the threat and patch vulnerabilities
  5. Recovery: Restore services and verify system integrity
  6. Notification: Inform affected users within 72 hours (GDPR requirement)
  7. Post-Incident Review: Document lessons learned and improve processes

6.3 Data Breach Protocol

  • Immediate containment and forensic investigation
  • Notification to affected users and regulatory authorities as required
  • Coordination with law enforcement if criminal activity involved
  • Transparent communication about impact and remediation steps

6.4 Security Contact

Report a Security Vulnerability

If you discover a security issue, please report it to:

Email: security@askalfred.ai

We take all security reports seriously and will respond within 24 hours. Please do not publicly disclose vulnerabilities until we've had a chance to address them.

7. Third-Party Security

7.1 AI Service Providers

We use enterprise-grade AI services with strong security commitments:

Google Gemini AI:

  • SOC2, SOC3, ISO 27001 certified
  • Data not used for AI model training (Google Cloud API terms)
  • Encryption in transit and at rest
  • Temporary file uploads auto-deleted after 48 hours

OpenAI:

  • SOC2 Type II certified
  • Enterprise API does not use customer data for training
  • Zero data retention policy for API requests

7.2 Infrastructure Providers

Weaviate (Vector Database):

  • Multi-tenant data isolation at infrastructure level
  • Encryption at rest and in transit
  • Regular security audits and penetration testing

Resend (Email Service):

  • SOC2 Type II compliant
  • GDPR compliant with EU data residency options
  • TLS encryption for all email transmission

7.3 Optional Integrations

HubSpot CRM:

  • Enterprise security certifications (SOC2, ISO 27001)
  • Encrypted API token storage in our database
  • Tenant-scoped data sync (your HubSpot data stays isolated)
  • Can be disabled at any time by your organization

8. Security Best Practices for Users

8.1 Strong Passwords

  • Use at least 12 characters with a mix of uppercase, lowercase, numbers, and symbols
  • Never reuse passwords across different services
  • Consider using a password manager for secure storage
  • Change your password immediately if you suspect compromise

8.2 Account Security

  • Keep your email address secure (it's your account recovery method)
  • Log out from shared or public devices
  • Revoke API tokens from devices you no longer use
  • Regularly review your active sessions and connected devices

8.3 Phishing Awareness

  • We will never ask for your password via email
  • Always verify the sender's email address carefully
  • Be suspicious of urgent requests or unexpected attachments
  • When in doubt, navigate directly to askalfred.ai instead of clicking email links

8.4 Data Upload Safety

  • Only upload files you have permission to share
  • Be mindful of sensitive information in documents and images
  • Use our role-based permissions to control who can access specific files
  • Delete files you no longer need to minimize data retention

8.5 Reporting Security Concerns

If you notice anything suspicious:

  • Unusual login notifications
  • Unexpected account activity
  • Suspicious emails claiming to be from Ask Alfred
  • Potential security vulnerabilities in our platform

Please report immediately to: security@askalfred.ai

Questions about our security? Contact us at security@askalfred.ai. We're happy to provide additional technical details or discuss your specific security requirements.