Security at Altha

All data is encrypted in transit with TLS 1.2 or higher, and at rest with AES-256. Database storage lives in Supabase's Frankfurt (eu-central-1) region, keeping your data inside the European Union.

• *TLS 1.2 or higher on every connection.
• *AES-256 encryption at rest for the database, backups, and file storage.
• *Data residency for the primary store in Frankfurt, Germany (EU).
• *Organization-level isolation enforced by PostgreSQL Row Level Security, with policies that check organization_id on every read and write.
• *Append-only audit log: only INSERT and SELECT policies exist on the audit_logs table; UPDATE and DELETE are absent.

Authentication is handled by Clerk, a SOC 2 Type II certified identity provider. Every API route checks the session and the role before any work runs.

• *Clerk-managed sessions; we never store session tokens server-side.
• *Role-based access control with three roles: admin, editor, viewer.
• *Every API route is wrapped by withAuth(), which validates the Clerk session, extracts the organization ID, and checks the role.
• *Organization-scoped data: one organization cannot read or write another organization's records, enforced both at the application layer and at the database layer.
• *No shared service account or shared API key is used for user-facing queries.

Altha uses Anthropic's Claude API for conversational product discovery, PRD analysis, and graph audits. AI processing requires explicit, organization-level consent before any content is sent to Anthropic.

• *One-time organization-level consent required before any AI processing. Consent is stored on the organization record and checked on every chat or audit call.
• *Anthropic stores API inputs and outputs for up to 30 days for abuse review, then deletes them. API data is not used for model training. Source: Anthropic commercial data retention policy.
• *All AI interactions are recorded in the audit trail as action types only. No prompts, responses, feature titles, or PRD text are stored in the audit log.
• *AI-generated features and dependencies require explicit user confirmation in the UI before they are written to the graph.

Altha runs on Vercel for the application layer and Supabase for the primary data store. Both providers are SOC 2 Type II compliant. Vercel is also ISO 27001:2022 certified and a participant in the EU-U.S. Data Privacy Framework.

• *Vercel: edge network with automatic HTTPS, DDoS mitigation, and serverless functions pinned to the Frankfurt (fra1) region. The edge cache itself is global.
• *Supabase: managed PostgreSQL with Row Level Security, automated backups encrypted at rest, point-in-time recovery available.
• *Upstash Redis (EU region): rate limiting and caching, with TLS in transit and encryption at rest.
• *Rate limiting on every write endpoint, scoped per organization or per user depending on the route.
• *Security headers on every response: HSTS (2 years, preload), Content-Security-Policy, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy.
• *Sentry error tracking with request bodies, cookies, and console breadcrumbs stripped before the event is sent.

GDPR compliance is a starting requirement, not an aspiration. Data processing follows the principles of data minimization and purpose limitation. Specific rights are wired directly into the product.

• *Data portability (Article 20): export all organization data as JSON from settings.
• *Right to erasure (Article 17): delete all organization data from settings. Admin role required. Audit logs are anonymized rather than deleted.
• *Cookies: essential only (Clerk session, cookie-banner dismissal flag in localStorage). No analytics, advertising, or tracking cookies.
• *AI processing consent: explicit, organization-level opt-in required before any data leaves the EU for AI processing.
• *Audit log anonymization: on account deletion, user_id values in the audit_logs table are replaced with a fixed placeholder.
• *Data Processing Agreements: in place or pending with every sub-processor listed below.

Every data mutation in Altha is recorded in an append-only audit log. Each row captures the action type, entity type, entity ID, user ID, organization ID, and timestamp. User-generated content (feature titles, PRD text, chat messages) is never stored in the audit log.

• *Append-only: only INSERT and SELECT policies exist on audit_logs at the database level.
• *Every mutation logged: feature creation, dependency changes, settings updates, AI consent grants, account deletions, more.
• *No user-generated content in logs. Audit rows reference entity IDs and action types only.
• *Organization-scoped: each organization can read only its own audit log.
• *Retained for security analytics; anonymized on account deletion (user IDs replaced with a fixed placeholder), then purged after 24 months.

All user input is validated and sanitized before storage. File uploads are verified by their magic bytes, not by the file extension.

• *User-generated text fields are stripped of HTML tags and ASCII control characters before storage. Stored text is rendered through React, which escapes text nodes automatically. Links surfaced in assistant responses are restricted to http and https schemes at render time; other schemes (javascript:, data:, vbscript:, file:) are rendered as plain text.
• *File upload validation: magic byte verification for PDF, DOCX, Markdown, and plain text.
• *Figma URL allowlist: only figma.com (with a /file/ or /design/ path) is accepted.
• *File size cap of 10 MB enforced server-side, after the magic byte check.
• *Input length limits on every text field (titles, descriptions, tags, chat messages).
• *JSON body validation at the entry of every API route; malformed bodies return 400 with a specific error.

Altha relies on the following third-party services to operate. Each one maintains relevant security certifications and either has, or is in the process of signing, a Data Processing Agreement.

Personal data of EU residents that reaches a US sub-processor is covered by the EU-U.S. Data Privacy Framework where the provider is certified, by Standard Contractual Clauses (Module 2 or 3), or by both. We disclose every sub-processor explicitly rather than relying on an aggregate "trusted partners" line.

If you find a security vulnerability, tell us. We acknowledge every report and aim to respond within 48 hours. Please include a clear description, the steps to reproduce, and the potential impact.