Security at AlpineDataWorks.AI
Built for agents, hardened for the buyer that pays for them. This page is deliberately honest about what is shipped today, what is on the roadmap with dates, and how to reach us if you find something wrong.
No fake compliance badges, no aspirational claims — only what we can show you in the code, the logs, and the deploy history.
What is true today
Specific, verifiable controls. The kind of detail a competent security team wants to see before they will whitelist a vendor.
TLS 1.3
All traffic encrypted via Cloudflare-managed certificates with automatic rotation. No plain-HTTP fallback.
Passwords: PBKDF2-HMAC-SHA256
100,000 iterations, per-user salt, never stored in plaintext, never logged. Constant-time comparison.
Sessions: HMAC-signed cookies
32-byte random IDs, HttpOnly + Secure + SameSite=Lax. Server-side session table is the source of truth.
API keys: hashed at rest
Stored as hashes, not plaintext. Never echoed in logs or responses after generation.
OAuth: Google + GitHub
Real OAuth 2.0 with signed-state CSRF protection. Email-verified flag required before account activation.
Email verification gated
No API keys, no data calls, no billing actions until your email is verified — gate enforced server-side on every authed endpoint.
Verified, non-anonymous accounts
Self-serve signup, but every account is email-verified before it can call live data — no anonymous access.
Rate limiting at the edge
Per-account daily quotas plus Cloudflare-edge rate limiting. KV-backed counters with deterministic reset windows.
Secrets in Cloudflare KMS
OAuth client secrets, session-signing keys, Stripe webhook secrets — all in Cloudflare Workers encrypted secret store. Zero secrets in source.
Who runs what
We do not run our own servers. Everything sits on managed, audited infrastructure.
| Vendor | Purpose |
|---|---|
| Cloudflare Workers | Edge compute, no origin server to attack. |
| Cloudflare D1 | Managed SQLite, encrypted at rest. Account + session data only. |
| Cloudflare KV | Rate-limit counters, encrypted at rest. No PII. |
| Resend | Transactional email (signup, password reset, magic links). |
| Stripe | Payments. PCI Service Provider Level 1. We never touch card data. |
Full sub-processor list will be maintained and published as our customer commitments grow.
Coming next
Dated commitments, not vague intentions. If a date slips, this page gets updated.
MFA / 2FA
TOTP-based two-factor with backup codes for all accounts.
Audit log export
Account owners can export their full activity log (logins, key creates, API calls).
SOC 2 Type I readiness
We document our controls now and start the formal SOC 2 audit process when a customer's procurement requires it.
SAML / SCIM SSO
Single sign-on and provisioning for organizations with their own identity provider.
Found a vulnerability?
Email [email protected] with details and reproduction steps. Our commitments:
- ✓ Acknowledgement within 2 business days
- ✓ Status update every 7 days until resolved
- ✓ Public credit on this page if you would like it
- ○ No paid bounty yet — we credit researchers publicly and recognize every report.
Please do not test by attacking other users' data, accounts, or infrastructure. Demonstrating impact on a test account you control is sufficient.
What we collect and what we do not
We collect
- • Email address
- • Hashed password (only if you set one — OAuth-only users skip this)
- • Profile fields you provide at signup (company, role, use case)
- • API usage counters (rate limiting + abuse prevention)
- • Stripe customer ID (only if you upgrade to a paid plan)
We do not collect
- ✗ Card or financial data (Stripe handles all billing)
- ✗ The contents of your API queries beyond rate-limit-relevant metadata
- ✗ Browsing behavior or cross-site tracking
- ✗ Anything we do not need to run the service
Retention & deletion
Account data lives until you delete your account. Usage counters roll up daily and are pruned after 90 days. You can request a full data export or hard deletion at any time by emailing [email protected].