Skip to content
AlpineDataWorks.AI
Last updated · 2026-06-22

Security at AlpineDataWorks.AI

Built for agents, hardened for the buyer that pays for them. This page is deliberately honest about what is shipped today, what is on the roadmap with dates, and how to reach us if you find something wrong.

No fake compliance badges, no aspirational claims — only what we can show you in the code, the logs, and the deploy history.

Live in production

What is true today

Specific, verifiable controls. The kind of detail a competent security team wants to see before they will whitelist a vendor.

TLS 1.3

All traffic encrypted via Cloudflare-managed certificates with automatic rotation. No plain-HTTP fallback.

Passwords: PBKDF2-HMAC-SHA256

100,000 iterations, per-user salt, never stored in plaintext, never logged. Constant-time comparison.

Sessions: HMAC-signed cookies

32-byte random IDs, HttpOnly + Secure + SameSite=Lax. Server-side session table is the source of truth.

API keys: hashed at rest

Stored as hashes, not plaintext. Never echoed in logs or responses after generation.

OAuth: Google + GitHub

Real OAuth 2.0 with signed-state CSRF protection. Email-verified flag required before account activation.

Email verification gated

No API keys, no data calls, no billing actions until your email is verified — gate enforced server-side on every authed endpoint.

Verified, non-anonymous accounts

Self-serve signup, but every account is email-verified before it can call live data — no anonymous access.

Rate limiting at the edge

Per-account daily quotas plus Cloudflare-edge rate limiting. KV-backed counters with deterministic reset windows.

Secrets in Cloudflare KMS

OAuth client secrets, session-signing keys, Stripe webhook secrets — all in Cloudflare Workers encrypted secret store. Zero secrets in source.

Infrastructure

Who runs what

We do not run our own servers. Everything sits on managed, audited infrastructure.

Vendor Purpose
Cloudflare Workers Edge compute, no origin server to attack.
Cloudflare D1 Managed SQLite, encrypted at rest. Account + session data only.
Cloudflare KV Rate-limit counters, encrypted at rest. No PII.
Resend Transactional email (signup, password reset, magic links).
Stripe Payments. PCI Service Provider Level 1. We never touch card data.

Full sub-processor list will be maintained and published as our customer commitments grow.

Roadmap

Coming next

Dated commitments, not vague intentions. If a date slips, this page gets updated.

Q3 2026

MFA / 2FA

TOTP-based two-factor with backup codes for all accounts.

Q4 2026

Audit log export

Account owners can export their full activity log (logins, key creates, API calls).

On first enterprise deal

SOC 2 Type I readiness

We document our controls now and start the formal SOC 2 audit process when a customer's procurement requires it.

Enterprise plans

SAML / SCIM SSO

Single sign-on and provisioning for organizations with their own identity provider.

Responsible disclosure

Found a vulnerability?

Email [email protected] with details and reproduction steps. Our commitments:

  • Acknowledgement within 2 business days
  • Status update every 7 days until resolved
  • Public credit on this page if you would like it
  • No paid bounty yet — we credit researchers publicly and recognize every report.

Please do not test by attacking other users' data, accounts, or infrastructure. Demonstrating impact on a test account you control is sufficient.

Data handling

What we collect and what we do not

We collect

  • Email address
  • Hashed password (only if you set one — OAuth-only users skip this)
  • Profile fields you provide at signup (company, role, use case)
  • API usage counters (rate limiting + abuse prevention)
  • Stripe customer ID (only if you upgrade to a paid plan)

We do not collect

  • Card or financial data (Stripe handles all billing)
  • The contents of your API queries beyond rate-limit-relevant metadata
  • Browsing behavior or cross-site tracking
  • Anything we do not need to run the service

Retention & deletion

Account data lives until you delete your account. Usage counters roll up daily and are pruned after 90 days. You can request a full data export or hard deletion at any time by emailing [email protected].

Contact

Security issues
[email protected]
Privacy & data
[email protected]