1. Why this matters
Alta’s AI agents operate inside your revenue stack, so we treat security and privacy with the same gravity you treat pipeline value. The controls below map to SOC 2 Type II, ISO 27001, GDPR, CCPA and industry‑specific email/telecom regulations (CAN‑SPAM, CASL, TCPA).
2. End‑to‑end data flow
Stage | Encryption | Purpose | Retention |
Ingress (API/OAuth, CSV, web‑forms) | TLS 1.2+ | Ingest prospect & CRM data | Ephemeral (≤ 24 h queue) |
Processing (Katie/Alex models) | AES‑256 at rest, TLS in transit | Personalisation, call/email generation | 30 days* |
Storage (vector DB + S3) | AES‑256 | Re‑use for follow‑ups, analytics | 90 days after contract end* |
Egress (email, LinkedIn, voice) | TLS / SRTP | Deliver messages & calls | Copies stored only in your channels |
* Custom retention schedules available on Enterprise plans.
Download the full data‑flow diagram (PDF) → link‑placeholder
3. Certifications & third‑party audits
Framework | Status | Report / badge |
SOC 2 Type II | Passed (renewed annually) | Request report |
ISO 27001:2022 | Certified | Certificate #ALT‑ISO‑23‑04 |
Penetration test | Independent, twice‑yearly | Executive summary available |
Bug bounty | Ongoing via HackerOne | Policy link |
4. Legal & regulatory compliance
4.1 GDPR / UK GDPR
Data Processing Agreement (DPA) – available for e‑signature in the Admin portal.
Sub‑processor list – AWS (Frankfurt, Oregon), Twilio, Postmark, Slack; 30‑day notice on changes.
Data subject rights – export / erase request turnaround: ≤ 7 days.
4.2 CCPA / CPRA
We act as a “Service Provider”; no data is sold.
Opt‑out mechanism surfaces in every Alta‑sent email footer.
4.3 Email & Telephony laws
CAN‑SPAM / CASL footers auto‑inserted by Katie.
Alex checks local time zone before dialling to stay within TCPA “quiet hours”.
5. Access control & Identity
Feature | Details |
Role‑based access control (RBAC) | Four built‑in roles: Owner, Admin, Manager, Rep (see full matrix in 8.4 Roles & SSO configuration). |
SSO | SAML 2.0 & OAuth (Google, Okta, Azure AD, OneLogin). |
SCIM | Auto‑provision/de‑provision users on Professional + plans. |
Audit log | Immutable logs for log‑ins, settings changes and data exports (retained 1 year). |
6. Network & infrastructure
Cloud provider: AWS (multi‑AZ, encrypted EBS & S3).
WAF & DDoS: AWS Shield + CloudFront.
Secrets management: AWS KMS, rotation < 90 days.
Continuous vulnerability scanning: Snyk on every build; CVEs fixed ≤ 14 days (high/critical).
7. Incident response
SLA | Target |
Detection → customer notification | ≤ 24 h |
Status updates | Every 4 h until resolution |
Root‑cause analysis report | ≤ 5 business days |
Contact: [email protected] · 24/7 pager coverage.
8. Customer responsibilities
Provision least‑privilege roles to team members.
Keep LinkedIn & email credentials in your own SSO; never share passwords with Alta.
Honour local consent laws when uploading contact lists.
Promptly install CRM app updates (they include permission scope changes).
9. FAQs
Question | Answer |
Where is my data stored? | Default region is US‑East (N. Virginia). EU cluster available on request. |
Can I request a custom DPA or SCCs? | Yes—email [email protected]. Turn‑around ≤ 5 business days. |
Do you support HIPAA? | Not today; healthcare customers should use de‑identified data only. |
How do I delete all data after churn? | Admin → Settings → “Purge workspace”. Data erased within 72 h; confirmation log emailed. |
Need more info?
Email [email protected] for audit reports, pen‑test summaries or sub‑processor lists.
For day‑to‑day questions, open a ticket via the in‑app Help widget.