Log inBook a demo
legal · security disclosures

Security disclosures

For the product-level audit trail, see Control plane. This page is the formal disclosure document.

Compliance

  • Security review — vendor security questionnaires, architecture notes, and relevant reports are available under NDA.
  • GDPR + CCPA — DPA available pre-sales. EU representative listed in DPA.
  • HIPAA — BAA available for healthcare customers. Aleq's per-tenant isolation supports HIPAA-grade obligations.
  • PCI-DSS — Aleq does not store cardholder data. Card data is tokenized at point of capture by our PCI-Level-1 payment processor.

Encryption

  • At rest — AES-256-GCM with per-tenant data encryption keys. Keys are managed in AWS KMS with HSM-backed master keys.
  • In transit — TLS 1.3 with forward secrecy. HSTS enabled with 2-year max-age.
  • Backups — encrypted with the same per-tenant keys. Retained 90 days.

Audit signatures

Every journal entry posted by Aleq is signed at the time of post with an ed25519 keypair held in HSM. Period closes are sealed with an aggregate signature over the entire period's signed entries. Auditors can verify cryptographically that no entries have been altered after signing.

Access controls

  • SSO — SAML 2.0 and OIDC supported (Okta, Azure AD, Google Workspace).
  • SCIM — automatic user provisioning and deprovisioning.
  • RBAC — granular, per-action permission model. Standard roles + custom role builder.
  • MFA — required for all human users on privileged actions. Hardware security keys supported.

Vulnerability disclosure

If you believe you've found a security vulnerability in Aleq, please email security@aleq.com. We acknowledge reports within 24 hours and aim to remediate critical issues within 14 days.

We operate a bug bounty program in coordination with HackerOne. Eligible reports receive bounties from $500 to $25,000 based on severity and impact. Full scope and rules are at aleq.com/bounty.

Incident response

Aleq maintains a 24/7 security operations center. In the event of a customer-impacting security incident:

  • Initial customer notification within 24 hours.
  • Status updates every 4 hours during the active phase.
  • Final post-incident report within 5 business days, including cause, scope, remediation, and prevention measures.

Penetration testing

Aleq commissions an annual external penetration test by an independent firm (Trail of Bits, 2026-Q1). Customers can request the executive summary under NDA.

Customer references

The following customers have agreed to share their security review experience with Aleq under NDA:

  • Foxwell Robotics — Series C hardware company
  • Helix Cloud — Series C SaaS company
  • Loft Marketplace — Series B marketplace company

Contact security@aleq.com to request introductions.