AlertFlow
SOC 2 Type II compliance in progress

Security at AlertFlow

Your alert data is sensitive. We treat it that way.

Security practices

πŸ”’

Encryption in transit

All data transmitted between clients and AlertFlow is encrypted using TLS 1.3. We enforce HSTS with a minimum 2-year max-age.

πŸ—„οΈ

Encryption at rest

All customer data is encrypted at rest using AES-256. Database backups are encrypted independently.

πŸ‘€

Access controls

AlertFlow uses role-based access control (RBAC). Production database access is restricted to a minimal set of engineers with MFA enforced.

πŸ–₯️

Infrastructure security

Hosted on DigitalOcean with private networking between services. Firewall rules restrict all inbound traffic except HTTPS. SSH access via certificate only.

πŸ”‘

Secrets management

API keys, credentials, and secrets are never stored in code. All secrets are managed via environment variables and a dedicated secrets manager.

πŸ”

Dependency scanning

Automated dependency vulnerability scanning runs on every pull request. Critical CVEs trigger immediate patching.

SOC 2 Type II β€” in progress

AlertFlow is currently completing our SOC 2 Type II audit. Our controls have been designed from day one to meet the Trust Service Criteria across Security, Availability, and Confidentiality. We expect certification in Q2 2025.

Enterprise customers can request our current security posture documentation under NDA. Contact security@alertflow.io.

Responsible disclosure

If you believe you have found a security vulnerability in AlertFlow, please report it to us responsibly. We ask that you:

  • Do not access or modify customer data
  • Do not disrupt the service
  • Report the vulnerability to security@alertflow.io with full details
  • Give us reasonable time to patch before public disclosure

We do not currently offer a bug bounty program, but we will acknowledge your contribution publicly if you wish and work to remediate all valid reports promptly.

PII handling in alert payloads

Alert payloads sent from RMM and monitoring tools often contain personally identifiable information (device names, user names, IP addresses). AlertFlow:

  • Stores alert payloads encrypted at rest
  • Does not share payload data with third parties except for delivery (notification channels)
  • Retains raw payload data according to your plan's retention period
  • Provides data deletion endpoints via API for GDPR/CCPA compliance