Security

Security Is Foundational, Not an Afterthought

Every architectural decision at Alethia is made with security as a primary constraint — not a feature to add later. Here's exactly how we protect your data and your clients' accounts.

Security Philosophy

Defence in Depth

Alethia is built with a layered security model. No single point of failure. Every layer — from network to application to data — has independent security controls.

We follow the principle of least privilege throughout: OAuth scopes are minimal, database rows are isolated by tenant, and API tokens expire within 24 hours. Nothing persists longer than necessary.

HTTPS Everywhere

All connections encrypted with TLS 1.2+. No unencrypted endpoints.

Cloudflare Protection

DDoS mitigation, WAF, and bot management at the edge.

GCP Infrastructure

Hosted on Google Cloud Platform with SOC 2 Type II certified infrastructure.

Human-in-the-Loop

3-layer approval chain. No changes execute without your explicit approval.

Infrastructure Security

Enterprise-Grade Infrastructure

HTTPS / TLS Encryption

All traffic to and from Alethia is encrypted using TLS 1.2 or higher. HSTS is enforced with a long max-age directive. There are no mixed-content pages and no downgrade attack vectors.

Cloudflare CDN & DDoS Protection

Our domain is proxied through Cloudflare's global CDN, which provides automatic DDoS mitigation, Web Application Firewall (WAF), bot management, and edge-level threat intelligence — all at no cost to response time.

GCP with SOC 2 Type II

Alethia's backend services run on Google Cloud Platform, which maintains SOC 2 Type II, ISO 27001, and PCI DSS certifications. Physical security, redundancy, and infrastructure compliance are Google's responsibility — and they take it seriously.

Row-Level Database Security

Every database table in Alethia has Row-Level Security (RLS) policies enforced at the database layer. Even if application code had a bug, a tenant's data cannot be accessed by another tenant's queries — the database rejects the query outright.

Supabase + PostgreSQL Encryption at Rest

All data is stored in Supabase (PostgreSQL), with AES-256 encryption at rest provided by the underlying GCP infrastructure. Database backups are encrypted with the same standard.

Email Security (SPF / DKIM / DMARC)

Our email domain (alethia-intelligence.ai) is configured with SPF hard-fail (-all), DKIM signing, and DMARC policy. This prevents email spoofing and phishing attacks using our domain.

Authentication & Authorisation

Zero-Trust Access Model

Alethia treats every request as potentially untrusted. Authentication is verified on every API call, authorisation is checked at the database row level, and sessions expire automatically.

OAuth 2.0 for All Platform Integrations

Every platform connection (Google, Meta, LinkedIn, TikTok) uses the platform's official OAuth 2.0 flow. We never ask for or store your platform passwords. Tokens are stored encrypted and deleted immediately on disconnect.

JWT Tokens — 24-Hour Expiry

Authentication tokens are short-lived JSON Web Tokens with a 24-hour maximum lifetime. Refresh is handled transparently. Compromised tokens expire quickly.

PBKDF2 Password Hashing

User passwords are hashed using PBKDF2 with a per-user salt. Plain-text passwords are never stored and cannot be recovered — only verified.

HMAC Signing on OAuth State Parameters

The OAuth state parameter used in all platform connection flows is HMAC-signed, preventing CSRF attacks during the authorisation process.

Multi-Tenant Isolation

Tenants (agency accounts) are completely isolated from each other. Queries are automatically scoped to the authenticated tenant via RLS policies — cross-tenant data access is architecturally impossible.

Authentication Flow

1 User submits credentials

2 PBKDF2 hash verified

3 JWT issued (24h expiry)

4 RLS enforced on every query

✓ Tenant-scoped data access

Data Handling

Minimal Data, Maximum Protection

Data Type	How We Handle It	Retention
OAuth Tokens	Encrypted at rest using AES-256. Scoped to minimum required permissions. Deleted immediately when you disconnect a platform.	Until disconnected
Audit Data	GTM container snapshots and audit results are stored in your tenant's isolated database partition.	90 days, then purged
Account Data	User profiles, settings, and preferences are retained while your account is active.	30 days after account closure
Session Tokens	Stored in localStorage (not cookies). No cross-site tracking. Expire after 24 hours.	24 hours maximum
Ad Account Data	Campaign metrics and ad data fetched on-demand and cached temporarily for performance.	24-hour cache, then re-fetched
Logs & Audit Trail	All actions performed through Alethia are logged for your review and rollback capability.	90 days

No Tracking Cookies

We don't use tracking cookies. Session state is stored in localStorage only. No third-party analytics that track you across sites.

No Data Sales

Your data is never sold to third parties. We don't monetise user data. Ever. Our business model is software subscriptions.

Cross-Border Compliance

Data handling complies with GDPR (EU), CCPA (California), and POPIA (South Africa) regardless of where you're located.

Platform-Specific Security

Least Privilege on Every Integration

We request only the minimum OAuth scopes necessary for each platform. Here's exactly what permissions Alethia requests and why.

Google (Ads, GTM, GA4 & Search Console)

Read Google Ads — campaign performance, account structure

Read/Write Google Tag Manager — container management with human approval on all writes

Read Google Analytics 4 — acquisition reporting, conversion tracking, ROAS validation

Read Google Search Console — search performance, URL inspection, sitemap management

Meta (Facebook Ads)

Read read_insights — ad performance data only

Read ads_read — campaign structure and settings

Note Data deletion callback implemented as required by Meta

LinkedIn Ads

Read r_ads — read-only access to ad accounts and campaigns

Read r_ads_reporting — performance reporting data

TikTok Ads

Managed TikTok Ads API — full campaign management with human approval on all mutations

Safety All spend changes, pause/resume, and creative changes require explicit user approval

Safety Chain

3-Layer Approval on Every Action

Alethia's approval chain ensures no change — to your ad campaigns or GTM containers — executes without your knowledge and consent.

AI Reviewer

Analyses the proposed action for risk, correctness, and potential side effects across all connected platforms.

Confidence Router

Classifies actions as GREEN (low risk), YELLOW (medium risk), or RED (high risk) based on scope and reversibility.

Human Gate

You see the proposed change, the AI reasoning, the risk classification, and expected outcome. You approve or reject.

Execute & Log

The approved change executes. Every action is logged with timestamp, user, reasoning, and a rollback snapshot.

Responsible Disclosure

Report a Security Issue

We take security reports seriously. If you've found a vulnerability in Alethia, please contact us directly. We commit to acknowledging reports within 48 hours.

Security Email [email protected]

Response Commitment Acknowledge within 48 hours

Scope alethia-intelligence.ai and all subdomains

Please do not publicly disclose a vulnerability before giving us a reasonable opportunity to address it. We appreciate responsible disclosure and will credit researchers who follow this process (if desired).

Questions about security?

Our team is happy to discuss our security architecture in detail with enterprise customers or security researchers.