Security Policy

Security is a core commitment at AluminatAI. Our platform handles sensitive GPU telemetry and cost attribution data for AI infrastructure teams. This page describes our security controls, responsible disclosure process, and uptime commitment.

To report a vulnerability, email security@aluminatiai.com.

Encryption

• All data in transit is encrypted using TLS 1.2 or higher. TLS 1.0 and 1.1 are disabled.
• Data at rest is encrypted using AES-256 (Supabase managed encryption).
• Database backups are encrypted at rest.

Access Controls

• Row-level security (RLS) is enforced at the database layer — each user can only query their own data.
• Production database access is restricted to authorized personnel and requires multi-factor authentication.
• Service-role database credentials are never exposed to client-side code.
• API keys use ~340 bits of entropy, stored as hashed values (never in plaintext).
• Principle of least privilege is applied to all internal service accounts.

Application Security

• All API endpoints enforce server-side authentication and rate limiting (100 req/min on ingest).
• Input validation is applied to all ingested telemetry (power 0–1500 W, temp 0–120 °C, timestamp within 5 min).
• HTTP security headers: Strict-Transport-Security, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Content-Security-Policy.
• Stripe webhook signatures are verified on every webhook event.
• Dependencies are pinned and scanned for known CVEs as part of CI.

Hosting

• Application hosted on Vercel (SOC 2 Type II certified).
• Database hosted on Supabase (SOC 2 Type II certified).
• No customer data is stored on developer laptops or unmanaged systems.

The AluminatAI monitoring agent runs on your infrastructure and communicates with our API over HTTPS. Agent security design:

• The agent only reads GPU telemetry via NVML — it does not access model weights, training data, or filesystem contents.
• The agent runs as a non-root dedicated system user (aluminatai) with minimal permissions.
• Systemd hardening is applied by default: NoNewPrivileges=true, PrivateTmp=true, ProtectSystem=strict.
• The agent uses a Write-Ahead Log (WAL) for local buffering — no metrics are lost during network outages.
• mTLS is supported for environments requiring mutual authentication.

The agent source code is available at github.com/aluminatai/agent and is licensed under the MIT License.

All administrative actions (chargeback rate changes, API key rotation, report exports) are recorded in an immutable audit log, retained for 90 days. Enterprise customers can retrieve audit logs via the API for compliance purposes.

We follow a coordinated disclosure process. If you discover a security vulnerability in AluminatAI, please report it to us before disclosing it publicly.

1. Email security@aluminatiai.com with a description of the vulnerability, steps to reproduce, and potential impact.
2. We will acknowledge receipt within 2 business days.
3. We aim to resolve critical vulnerabilities within 30 days and will keep you informed of our progress.
4. We will credit researchers who responsibly disclose valid vulnerabilities (unless you prefer to remain anonymous).

We ask that you do not exploit the vulnerability, access other users' data, or disrupt the Service during your research.

We conduct periodic security reviews of our infrastructure and application code. We plan to engage a third-party security firm for penetration testing as we approach SOC 2 Type I certification.

We target 99.5% monthly uptime for the API ingest endpoint and dashboard. Planned maintenance is communicated at least 24 hours in advance.

Current service status is available at status.aluminatiai.com.

In the event of a data breach affecting your personal information, we will notify affected users within 72 hours of becoming aware of the breach, as required by GDPR. Enterprise customers with a DPA in place will also receive notification per the terms of that agreement.

Enterprise customers conducting vendor security assessments can access our completed security questionnaire (CAIQ-lite format) directly: