Security & Data Protection
Your compliance documents contain sensitive IP and regulatory information. Here's exactly how we protect it.
Last reviewed: March 2026
How Your Data Is Protected
Multiple layers of enterprise-grade security protect your documents at every stage — in transit, at rest, and during analysis.
Encrypted in Transit
Every connection between your browser and Aligntra is protected by TLS 1.2 or higher — the same transport encryption standard used by major banks and healthcare systems. It creates an encrypted tunnel so no one can intercept, read, or tamper with your documents while they travel between your device and our servers.
Encrypted at Rest
Once your documents reach our servers, they are stored with AES-256 encryption — the gold standard used by governments and financial institutions worldwide. Even if someone gained physical access to our storage infrastructure, your files would be unreadable without the encryption keys.
AI That Forgets
Our AI analysis runs through AWS Bedrock, Amazon's enterprise AI infrastructure. Each analysis is completely stateless — the AI processes your document, returns the results, and retains nothing. Your documents are never used to train AI models, guaranteed by AWS Bedrock's contractual data protection terms.
Your Data, Completely Isolated
Every organization on Aligntra has its own isolated data environment. Your documents, analyses, and reports are separated at the infrastructure level — every read and write operation is scoped to your organization's ID. No other customer can ever see or access your data.
Security Measures
Enterprise-grade controls that are active on every Aligntra account today.
Powered by Clerk, an industry-standard identity provider. JWT token verification, multi-factor authentication (MFA) available for all users, and built-in brute-force protection with automatic account lockout.
Granular permissions with organization admin and member roles. Admins control team access, billing, and data. Members only access what they need. API activity is monitored via application performance monitoring.
HTTPS is enforced across all connections with HSTS (HTTP Strict Transport Security). Your browser is instructed to never communicate with us over an insecure connection, even by mistake.
Intelligent rate limiting protects against abuse and brute-force attacks. Separate limits for authentication, file uploads, analysis, and billing operations. Automatic lockout on suspicious activity.
Security headers including X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Content Security Policy (CSP). CSP is implemented and being progressively tightened.
Documents are never served through permanent public URLs. Every download uses a time-limited signed link that expires after one hour, ensuring documents can't be accessed by anyone who intercepts an old link.
Hosted on Cloudflare (storage and CDN) and Railway (compute), with built-in DDoS protection, global edge network, automated backups, and high availability.
Strict file type allowlisting (PDF, DOCX, DOC, TXT only), file size limits, and schema validation on every API request. Webhook signatures are cryptographically verified with replay attack prevention.
Data Handling & Retention
Full transparency on what we collect, what we don't do with it, and how long we keep it.
✓ What We Collect
- ✓ Documents you upload for analysis
- ✓ Analysis results and reports you generate
- ✓ Account information (name, email, company)
- ✓ Anonymized usage analytics for performance
✗ What We Never Do
- ✗ Train AI models on your documents
- ✗ Sell your data to third parties or advertisers
- ✗ Share documents with other customers
- ✗ Access your documents without authorization
- ✗ Retain documents after you delete them
| Data Type | Retention Period | Your Control |
|---|---|---|
| Active analyses | As long as your account is active | Delete anytime from your dashboard |
| Deleted analyses | Permanently removed within 7 days | Automatic |
| Analysis results | 12 months unless deleted sooner | Delete anytime |
| Closed accounts | All data permanently deleted within 30 days | Request at any time |
| Enterprise customers | Custom retention policies available | Configured per agreement |
Compliance & Certifications
Our compliance posture and the standards we build against.
| Standard | Status | Description |
|---|---|---|
| GDPR | Active | EU data protection. Right to erasure, data portability, and processing transparency. |
| CCPA | Active | California consumer privacy. Right to know, delete, and opt-out of data sale. |
| AES-256 + TLS 1.3 | Active | AES-256 encryption at rest and TLS 1.2+ transport security in transit. |
| RBAC + MFA | Active | Role-based access control with multi-factor authentication available via Clerk. |
| SOC 2 Type II | Planned | Third-party audit covering security, availability, processing integrity, and confidentiality. |
| ISO 27001 | Planned | International standard for information security management systems (ISMS). |
| FDA 21 CFR Part 11 | Planned | Electronic records and signatures compliance for regulated medical device companies. |
View our detailed security roadmap
Enterprise Security Features
Additional security capabilities available on our Enterprise plan for large organizations with strict compliance requirements.
Single Sign-On (SSO) Contact Sales
SAML 2.0 integration with your identity provider (Okta, Azure AD, etc.)
Custom Data Residency Contact Sales
Choose where your data is stored — US, EU, or dedicated instance.
Dedicated Tenancy Contact Sales
Isolated compute and storage resources exclusively for your organization.
IP Whitelisting Contact Sales
Restrict platform access to your corporate network IP addresses only.
Custom SLA Contact Sales
99.95% uptime guarantee with financial penalties for breaches.
Penetration Testing Contact Sales
Annual third-party security assessments and vulnerability reports.
BAA Agreements Contact Sales
HIPAA Business Associate Agreements available for healthcare customers.
Audit Logs Export Contact Sales
Complete access and activity logs exportable for your compliance records.
Incident Response
In the unlikely event of a security incident, here's what we commit to.
Affected customers notified within 24 hours of incident detection.
Detailed incident report with impact assessment delivered within 72 hours.
Post-incident review with root cause analysis and preventive measures shared with affected customers.
Vulnerability Disclosure
We welcome responsible security researchers. If you discover a vulnerability in aligntra.com, email security@aligntra.com. We will not pursue legal action against researchers who follow responsible disclosure practices. We respond within 48 hours and provide a resolution timeline within 5 business days.
Questions About Our Security?
Contact our team for compliance questionnaires, security documentation, or to schedule a security review.