Security at Alloy
Security and correctness of customer data is paramount to us at Alloy. We have embedded both correctness and data security aspects not only in the software development lifecycle processes at Alloy, but also in company-wide processes. The purpose and the goal of our security processes are to ensure the prevention of data leakage & loss, maintain a highly available platform and to serve data at the highest possible quality.
Alloy follows industry best practices for its network security. Network traffic is only allowed based on a need-to-know principle. All traffic goes through HTTPS and is encrypted. Alloy has an A rating from Security Headers. Firewalls and intrusion detection systems are in place at the Google level as well as within the infrastructure managed by Alloy.
Alloy regularly engages third-party security researchers to conduct penetration tests on a grey-box, risk-based and time-framed approach according to OWASP Application Security Verification Standard (ASVS). Single Sign-On is supported via SAML, allowing customers to enforce their corporate security best practices
Data Security & Privacy
Alloy encrypts data at rest and in transit for all of our customers. Alloy stores all customer data in Google Cloud Platform which is encrypted at rest by default. All data in transit and all requests to Alloy services are encrypted with TLS 1.2. HTTPS is enforced via the Strict-Transport-Security header and by directing all traffic to TLS-secured endpoints. Alloy has an A+ rating from SSL Labs. Alloy is GDPR compliant, and only engages with data sub-processors who are also GDPR compliant.
Security Certifications & Compliance
Alloy maintains a SOC2 Type II for Security
Alloy prioritizes data protection, control and compliance with GDPR
Alloy prioritizes data protection, control and compliance with CCPA