Aletheia is currently under development. For early access,contact us.

Aletheia
Sign up
Enterprise Grade

Trust Center

Security, privacy, and compliance information for the Aletheia platform. For detailed questions, contact trust@aletheiadb.com.

Security Overview

  • All data encrypted at rest (AES-256) and in transit (TLS 1.3)
  • API key authentication with SHA-256 hashed storage
  • Constant-time key comparison to prevent timing attacks
  • Row-Level Security (RLS) enforced at the database layer
  • Multi-tenant data isolation via cluster_id namespace prefixing
  • No plaintext secrets in logs, environment variables, or client-side code

Infrastructure

  • Core engine: Rust binary with zero runtime dependencies — no npm, no pip, no system libraries
  • Embedded database (redb): MVCC, crash-safe, no external database to configure or secure
  • Platform: Deployed on Vercel Edge + Supabase (SOC 2 certified infrastructure)
  • All connections to the core engine are outbound-only from the platform proxy
  • Rate limiting at the API gateway layer prevents resource exhaustion

Data Privacy

  • Your data never leaves your Aletheia instance. For the self-hosted core engine, no telemetry is sent anywhere.
  • For Platform users: data is stored in your dedicated cluster with namespace isolation. No cross-tenant access.
  • We never use customer data for training, benchmarking, or product improvement without explicit opt-in.
  • GDPR compliant: data export and deletion available via API. Contact for Data Processing Agreement (DPA).

Compliance

  • SOC 2 Type 2 certification in progress (auditor: Vanta). Expected completion Q3 2026.
  • GDPR compliant data processing. Standard Contractual Clauses available.
  • HIPAA: Configurable for HIPAA compliance via self-hosted deployment. BAAs available for enterprise.
  • Open source core engine (Apache 2.0): full code auditability. No black boxes.

Data Protection

  • Data Processing Agreement (DPA): Available on request for all paid plans. Contact trust@aletheiadb.com.
  • Data export: Full data export via API or engine CLI tools. No lock-in.
  • Data deletion: Hard delete via API. Soft delete with retention period configurable per cluster.
  • Breach notification: 72-hour SLA for enterprise customers. Public status page at status.aletheiadb.com.

Need a Security Review?

We provide security questionnaires, penetration test summaries, and architecture diagrams for enterprise procurement.

Request Security Package