Security Policy

ALTO, developed and maintained by Brilliant Consulting SL

ALTO considers protection of subscriber data a top priority. As further described in this Information Security Policy, ALTO uses commercially reasonable organizational and technical measures designed to prevent unauthorized access, use, alteration or disclosure of subscriber data stored on systems under our control.

Subscriber Data and Management

ALTO limits its personnel's access to subscriber data as follows:

  • Requires unique user access authorization through a slack provider,
  • Limits the subscriber data available to ALTO personnel on a "need to know" basis;
  • Restricts access to ALTO production environment by ALTO personnel on the basis of business need;
  • Encrypts user security credentials for production access.

Data Encryption

ALTO provides industry-standard encryption for subscriber data as follows:

  • All customer data is encrypted at REST with AES-256 and in transit via TLS;
  • Sensitive information like access tokens and keys are encrypted at the application level before they are stored in the database.

Network Security, Physical Security and Environmental Controls

ALTO uses firewalls, network access controls and other techniques designed to prevent unauthorized access to systems processing subscriber data.

ALTO maintains measures designed to assess, test and apply security patches to all relevant systems and applications used to provide the Services.

ALTO monitors privileged access to applications that process subscriber data, including cloud services.

The Services operate on Supabase and Amazon Web Services ("AWS") and are protected by the security and environmental controls of Supabase and AWS. Detailed information about Supabase security is available at https://supabase.com/security. Detailed information about AWS security is available at https://aws.amazon.com/security/ and http://aws.amazon.com/security/sharing-the-security-responsibility/. For AWS SOC Reports, please see https://aws.amazon.com/compliance/soc-faqs/.

Subscriber data stored within Supabase is encrypted at all times. Supabase does not have access to unencrypted subscriber data.

Incident Response

If ALTO becomes aware of unauthorized access or disclosure of subscriber data under its control (a "Breach"), ALTO will:

  • Take reasonable measures to mitigate the harmful effects of the Breach and prevent further unauthorized access or disclosure.
  • Upon confirmation of the Breach, notify customer in writing of the Breach without undue delay. Notwithstanding the foregoing, ALTO is not required to make such notice to the extent prohibited by applicable laws, and ALTO may delay such notice as requested by law enforcement and/or in light of ALTO legitimate needs to investigate or remediate the matter before providing notice.

Backups

We do not archive or store data for longer than necessary for proper functioning of ALTO. Our backup strategy has 14 days retention policy. After that data is permanently deleted.

Data archival and removal

To delete your ALTO account, archive or remove personal information, please send an email to info@youralto.com.

Payment Processing

ALTO uses Stripe to process payments and does not store personal credit card information for any of our customers.

Stripe is a certified PCI Service Provider Level 1, which is the highest level of certification in the payments industry.

Vulnerability Management

ALTO works with industry experts to conduct regular penetration tests.

In addition to internal security reviews, we use various tools to scan our code for vulnerabilities including Socket.

Bug Reports

If you think you have found a security issue, please email us at info@youralto.com. Please do not publicly disclose the issue or any related information until we have had a chance to review it and respond to you.

Contact Us

If you have any questions about these Terms of Service, please contact us at info@youralto.com.