Skip to main content

Security & Compliance

Stav Levi avatar
Written by Stav Levi
Updated today

1.  Why this matters

Alta’s AI agents operate inside your revenue stack, so we treat security and privacy with the same gravity you treat pipeline value. The controls below map to SOC 2 Type II, ISO 27001, GDPR, CCPA and industry‑specific email/telecom regulations (CAN‑SPAM, CASL, TCPA).


2.  End‑to‑end data flow

Stage

Encryption

Purpose

Retention

Ingress (API/OAuth, CSV, web‑forms)

TLS 1.2+

Ingest prospect & CRM data

Ephemeral (≤ 24 h queue)

Processing (Katie/Alex models)

AES‑256 at rest, TLS in transit

Personalisation, call/email generation

30 days*

Storage (vector DB + S3)

AES‑256

Re‑use for follow‑ups, analytics

90 days after contract end*

Egress (email, LinkedIn, voice)

TLS / SRTP

Deliver messages & calls

Copies stored only in your channels

* Custom retention schedules available on Enterprise plans.

Download the full data‑flow diagram (PDF) → link‑placeholder


3.  Certifications & third‑party audits

Framework

Status

Report / badge

SOC 2 Type II

Passed (renewed annually)

Request report

ISO 27001:2022

Certified

Certificate #ALT‑ISO‑23‑04

Penetration test

Independent, twice‑yearly

Executive summary available

Bug bounty

Ongoing via HackerOne

Policy link


4.  Legal & regulatory compliance

4.1 GDPR / UK GDPR

  • Data Processing Agreement (DPA) – available for e‑signature in the Admin portal.

  • Sub‑processor list – AWS (Frankfurt, Oregon), Twilio, Postmark, Slack; 30‑day notice on changes.

  • Data subject rights – export / erase request turnaround: ≤ 7 days.

4.2 CCPA / CPRA

  • We act as a “Service Provider”; no data is sold.

  • Opt‑out mechanism surfaces in every Alta‑sent email footer.

4.3 Email & Telephony laws

  • CAN‑SPAM / CASL footers auto‑inserted by Katie.

  • Alex checks local time zone before dialling to stay within TCPA “quiet hours”.


5.  Access control & Identity

Feature

Details

Role‑based access control (RBAC)

Four built‑in roles: Owner, Admin, Manager, Rep (see full matrix in 8.4 Roles & SSO configuration).

SSO

SAML 2.0 & OAuth (Google, Okta, Azure AD, OneLogin).

SCIM

Auto‑provision/de‑provision users on Professional + plans.

Audit log

Immutable logs for log‑ins, settings changes and data exports (retained 1 year).


6.  Network & infrastructure

  • Cloud provider: AWS (multi‑AZ, encrypted EBS & S3).

  • WAF & DDoS: AWS Shield + CloudFront.

  • Secrets management: AWS KMS, rotation < 90 days.

  • Continuous vulnerability scanning: Snyk on every build; CVEs fixed ≤ 14 days (high/critical).


7.  Incident response

SLA

Target

Detection → customer notification

≤ 24 h

Status updates

Every 4 h until resolution

Root‑cause analysis report

≤ 5 business days

Contact: [email protected] · 24/7 pager coverage.


8.  Customer responsibilities

  1. Provision least‑privilege roles to team members.

  2. Keep LinkedIn & email credentials in your own SSO; never share passwords with Alta.

  3. Honour local consent laws when uploading contact lists.

  4. Promptly install CRM app updates (they include permission scope changes).


9.  FAQs

Question

Answer

Where is my data stored?

Default region is US‑East (N. Virginia). EU cluster available on request.

Can I request a custom DPA or SCCs?

Yes—email [email protected]. Turn‑around ≤ 5 business days.

Do you support HIPAA?

Not today; healthcare customers should use de‑identified data only.

How do I delete all data after churn?

Admin → Settings → “Purge workspace”. Data erased within 72 h; confirmation log emailed.


Need more info?

Email [email protected] for audit reports, pen‑test summaries or sub‑processor lists.
For day‑to‑day questions, open a ticket via the in‑app Help widget.

Did this answer your question?