Data Encryption

In transit: All connections to Alpha Sentinel use TLS 1.2 or higher. Data transmitted between your browser and our servers is encrypted end-to-end. API calls to third-party data providers (market data, payment processing) also use encrypted connections.

At rest: Personally identifiable information (PII) such as your name and phone number is encrypted at rest in our database using AES-256 encryption. Database backups are encrypted using AWS-managed keys. Sensitive environment variables and API keys are stored in AWS Secrets Manager, never in source code.

Authentication & Access Control

Alpha Sentinel uses session-based authentication with secure, HTTP-only cookies. Sessions expire after 24 hours of inactivity. Key protections include:

• Passwords are hashed using bcrypt with per-user salts
• Magic link sign-in is available as a passwordless alternative, with rate limiting (3 requests per minute per email address)
• Email verification is required before account activation
• Password reset tokens are single-use and time-limited
• Subscription tier is verified server-side on every request to prevent privilege escalation

Payment Security

Alpha Sentinel does not store, process, or have access to your full credit card number, expiration date, or CVV. All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor — the highest level of certification in the payment card industry.

Subscription management, billing changes, and refunds are processed entirely through Stripe’s secure infrastructure. Your payment method details never touch our servers.

Infrastructure Security

Our production environment runs on Amazon Web Services (AWS) with the following protections:

• Compute: Application containers run on AWS ECS Fargate in a private VPC with no direct internet access to backend services
• Database: Amazon RDS PostgreSQL with encryption at rest, automated backups, and restricted network access
• Caching: Amazon ElastiCache Redis in a private subnet, accessible only from application containers
• Secrets: All credentials and API keys are managed through AWS Secrets Manager with automated rotation policies
• Load Balancing: Application Load Balancer with TLS termination and health checks
• Monitoring: Application errors and anomalies are tracked via Sentry with real-time alerting

CI/CD & Deployment Security

Code changes go through an automated pipeline before reaching production:

• Secret scanning runs on every commit to prevent accidental credential exposure
• TypeScript type-checking and automated tests run before any deployment
• Third-party GitHub Actions are pinned to specific commit SHAs to prevent supply-chain attacks
• Docker images are built in CI and promoted to production without rebuild, ensuring what was tested is what deploys
• Database migrations are validated against the production schema before execution
• Deployments use rolling updates with automatic rollback on health check failure

Data Retention & Deletion

We retain your data only as long as necessary to provide our services. You can request deletion of your account and associated data at any time through your account settings or by contacting us. For more details on data retention periods and your rights, see our Privacy Policy.

Responsible Disclosure

If you discover a security vulnerability in Alpha Sentinel, we encourage responsible disclosure. Please report vulnerabilities to our security team and allow reasonable time for remediation before public disclosure.