Security at Alidade

Last updated June 11, 2026

Overview

Alidade is an AI-powered platform for analyzing competitor social media messaging and digital marketing. We take the security and privacy of customer data seriously and operate a security program aligned with the SOC 2 Trust Services Criteria. This page summarizes our security practices and explains how to report a vulnerability.

Infrastructure and Hosting

Alidade is fully cloud-hosted on SOC 2 / ISO 27001-certified providers; we operate no physical data centers or servers. Our application is hosted on Vercel, with data stored in Neon (managed Postgres) and Amazon Web Services, and authoritative DNS provided by Cloudflare.

Encryption

  • In transit: All connections use TLS — user-to-edge, edge-to-origin, and application-to-datastore.
  • At rest: Customer data is encrypted at rest by default across all of our datastores.

Access Control and Authentication

  • Application authentication supports passkeys (WebAuthn).
  • Multi-factor authentication is enforced on administrative cloud accounts.
  • Access to production systems follows least-privilege principles using scoped roles and access tokens.
  • User access is reviewed periodically.

Network Security

  • Inbound traffic passes through always-on DDoS mitigation at the network edge before it reaches application code; TLS is terminated at the edge.
  • The application enforces a strict Content-Security-Policy, hardened security headers, and per-route rate limiting, with bot detection guarding sensitive routes.
  • The architecture is serverless — there are no public-facing SSH hosts or bastions.
  • Production and non-production environments are segregated with separate managed environments and credentials.

Monitoring and Logging

We maintain centralized, multi-region audit logging with integrity validation, continuous threat detection across our cloud environments, and network telemetry capture. Findings are routed to alerting for triage.

Vulnerability and Dependency Management

Dependencies are continuously scanned for known vulnerabilities. Identified vulnerabilities are triaged and remediated according to severity-based SLAs.

Secure Development

  • Source code is managed in GitHub with branch protection on the production branch.
  • Changes reach production only through reviewed pull requests.
  • CI runs automated checks (linting, type-checking, tests) on every change.

Data Privacy

Alidade analyzes publicly available social media and advertising content. Customer data handling follows our Privacy Policy, and data deletion requests are honored per that policy.

Compliance

Alidade is pursuing SOC 2 compliance. Visit our Trust Center for current compliance status and documentation, or contact security at alidade ai com for security inquiries and questionnaires.

Responsible Disclosure

We welcome reports from security researchers and the broader community. We do not currently offer monetary rewards, but we will acknowledge your report, keep you informed as we address it, and credit you publicly if you would like.

Reporting a Vulnerability

Email security at alidade ai com with a description of the issue, steps to reproduce, affected URLs or endpoints, and your assessment of impact. Our disclosure contact is also published at /.well-known/security.txt.

What to Expect

  • We will acknowledge your report within 5 business days.
  • We will keep you updated as we investigate and remediate.
  • We will notify you when the issue is resolved.

Safe Harbor

We consider security research conducted in good faith and in accordance with this policy to be authorized, and we will not pursue legal action for accidental, good-faith violations of it. When researching, please:

  • Do not access, modify, or destroy data that does not belong to you. If you encounter another user's data, stop and report it immediately.
  • Do not degrade or disrupt our services.
  • Do not use social engineering, phishing, or physical attacks.
  • Give us a reasonable opportunity to remediate before disclosing publicly.

Out of Scope

  • Findings from automated scanners without a working proof of concept
  • Missing security headers or DNS records (SPF, DMARC, DNSSEC) without a demonstrated exploit
  • Clickjacking on pages with no sensitive actions
  • Denial-of-service or volumetric attacks
  • Vulnerabilities in third-party services we do not operate