Security at Alverik

Protecting our customers’ procurement data is fundamental to everything we build. This page describes the security controls and practices that safeguard your information.

For a summary of our security and compliance posture, visit our Trust Centre.

1. Data Encryption

  • All data encrypted in transit via TLS 1.2+
  • All data encrypted at rest via AES-256 (Supabase infrastructure)
  • Webhook payloads verified via HMAC-SHA256 signatures with timing-safe comparison
  • Signed tokens include expiry timestamps to prevent replay

2. Authentication & Access Control

  • Authentication via Google OAuth (no passwords stored)
  • Operator accounts require TOTP multi-factor authentication
  • Row-Level Security (RLS) on all database tables
  • Role-based access: subscriber and operator roles with least-privilege policies
  • 30-minute idle session timeout with server-side invalidation

3. Data Residency & Privacy

  • All primary data stored in Canada (ca-central-1) for PIPEDA compliance
  • CASL-compliant consent management with granular controls
  • PIPEDA-compliant account deletion with PII anonymisation
  • Soft-delete with 90-day retention before permanent purge
  • Cross-border processing disclosed for AI services (Anthropic)

4. Infrastructure Security

  • Content Security Policy (CSP) headers on all pages
  • Security headers: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
  • Rate limiting on all API endpoints
  • Container hardening: non-root user, multi-stage builds, pinned dependencies

5. Monitoring & Incident Response

  • Structured JSON logging across all services
  • Audit trail for all user and operator actions
  • API cost tracking per subscriber, per call
  • Defined incident response procedures (P1–P4 severity levels)
  • 72-hour PIPEDA breach notification commitment

6. Development Practices

  • TypeScript strict mode with no implicit any
  • Zod runtime validation at all system boundaries
  • Automated CI/CD: typecheck, lint, test suite, build, security scanning
  • Dependency vulnerability scanning (Dependabot + npm audit)
  • CodeQL static analysis on all pull requests
  • Formal change management with PR reviews

7. Compliance

  • SOC 2 Type II (in progress)
  • PIPEDA compliant
  • CASL compliant
  • Quebec Law 25 (under review)

Questions about our security practices? Contact security@alverik.ca

Last updated: April 2026

See also our Privacy Policy and Sub-Processors page.