← Back

Security Policy

Last updated: April 7, 2026

This page describes the security controls Alley AI currently operates. It is meant to be accurate to the code and deployment model today, not an overbroad promise of enterprise certifications or guarantees we do not have.

1. Account and Authentication Controls

  • Password-based accounts use bcrypt hashing before password data is stored.
  • Optional TOTP-based two-factor authentication is available to users who enable it.
  • Protected dashboard and API routes require authenticated sessions.
  • Session and password-change flows include checks intended to reduce stale-session risk.

2. Abuse Prevention and Access Control

  • Rate limits are applied to login, registration, password changes, billing actions, abuse reports, exports, and outreach-draft workflows.
  • Protected routes receive additional security headers intended to reduce common browser-side attack classes.
  • Administrative features are restricted to designated admin accounts.

3. Secret Handling and Sensitive Integrations

Alley AI stores some third-party credentials and tokens to operate connected services. Passwords are not stored in plain text, and selected sensitive third-party secrets, such as TikTok app secrets and certain TikTok tokens, are encrypted before database storage.

Payment card data is handled by Stripe. Alley AI does not store your full credit card number.

4. Transport and Infrastructure

Customer-facing Alley AI traffic is intended to be delivered over HTTPS, and the application relies on managed hosting and network providers for serving the site and protecting traffic at the edge.

We also maintain server-side operational storage for certain workflows, including outreach draft review and abuse-report intake.

5. Important Security Limits

To keep this page accurate, it is important to be clear about what Alley AI does not currently claim:

  • We do not claim that every category of user content is encrypted at the application layer while stored.
  • We do not claim SOC 2, ISO 27001, PCI scope for Alley AI itself, or similar certifications unless separately announced in writing.
  • We cannot guarantee uninterrupted service or absolute protection against every attack, outage, or third-party failure.

6. Responsible Disclosure

If you discover a security issue, report it to us privately before disclosing it publicly. Include enough detail for us to reproduce and investigate the issue safely.

Security contact: [email protected]

Please do not run destructive tests, denial-of-service activity, or attempts to access data that does not belong to you.