Security at Altha

Your product data is sensitive. Here is how we protect it.

Last updated: February 2026

Data Protection

All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption. Database storage is hosted in Supabase's Frankfurt (eu-central-1) region, keeping your data within the European Union.

  • TLS 1.2+ encryption for all connections
  • AES-256 encryption at rest for database and file storage
  • Data residency in Frankfurt, Germany (EU)
  • Strict organization-level data isolation via Row Level Security (RLS)
  • Sensitive fields encrypted with pgcrypto (e.g., raw source text)

Authentication and Access Control

Authentication is handled by Clerk, a SOC 2 Type II certified identity provider. All access is scoped to organizations with role-based permissions.

  • Clerk-managed authentication with session tokens (not stored server-side)
  • Role-based access control: Admin, Editor, Viewer
  • Every API route verifies authentication and role server-side
  • Organization-scoped data: one organization cannot access another's data
  • No shared service accounts or API keys for user-facing queries

AI Processing

Altha uses Anthropic's Claude API for conversational product discovery and PRD analysis. AI processing requires explicit organization-level consent before any data is sent to Anthropic.

  • One-time organization-level consent required before AI processing
  • Document content is sent to Anthropic for processing but is not used for AI training
  • Anthropic does not retain your data after processing
  • All AI interactions are logged in the audit trail (action type only, no content)
  • AI-generated features require explicit user confirmation before creation

Infrastructure

Altha runs on Vercel (edge network) with Supabase (PostgreSQL) as the primary data store. Both providers maintain SOC 2 Type II compliance.

  • Vercel: edge deployment with automatic HTTPS, DDoS protection
  • Supabase: managed PostgreSQL with Row Level Security, automated backups
  • Upstash Redis: rate limiting and caching (serverless, encrypted)
  • Rate limiting on all write endpoints (per-user, per-endpoint)
  • Security headers: HSTS, Content-Security-Policy, X-Frame-Options (DENY), X-Content-Type-Options, Referrer-Policy, Permissions-Policy
  • Sentry error tracking with user content stripped from reports

GDPR Compliance

Altha is built with GDPR compliance as a core requirement. All data processing follows the principles of data minimization and purpose limitation.

  • Data portability (Article 20): export all organization data as JSON from settings
  • Right to erasure (Article 17): delete all organization data from settings (admin only)
  • Cookie banner: essential cookies only, no tracking or analytics cookies
  • AI processing consent: explicit opt-in required per organization
  • Audit log anonymization: user IDs replaced with 'deleted_user' on account deletion
  • Data Processing Agreements (DPAs) signed with all sub-processors

Audit Logging

Every data mutation in Altha is recorded in an append-only audit log. Audit logs capture the action type, entity type, user ID, and timestamp. They never contain user-generated content such as feature titles, PRD text, or chat messages.

  • Append-only: no UPDATE or DELETE policies on audit logs
  • Every mutation logged: feature creation, dependency changes, settings updates
  • No user-generated content in logs (entity IDs and action types only)
  • Organization-scoped: logs are isolated per organization
  • Retained indefinitely (anonymized on account deletion)

Input Validation and Sanitization

All user input is validated and sanitized before storage. File uploads are verified by magic bytes, not just file extensions.

  • DOMPurify sanitization on all user-generated text before storage
  • File upload validation: magic byte verification for PDF, DOCX, Markdown, and text files
  • Figma URL allowlisting: only figma.com domains accepted
  • File size limits enforced server-side (10 MB maximum)
  • Input length constraints on all text fields (titles, descriptions, tags)
  • JSON schema validation on all API request bodies

Sub-processors

Altha relies on the following third-party services to operate. Each maintains appropriate security certifications and has a signed Data Processing Agreement.

ProviderPurposeRegion
SupabaseDatabase and file storageFrankfurt, EU
AnthropicAI processing (Claude API)US (no data retention)
VercelApplication hosting and edge networkFrankfurt, EU (primary)
ClerkAuthentication and identityUS
UpstashRate limiting and caching (Redis)EU
SentryError tracking (no user content)US

Security Reporting

If you discover a security vulnerability, please report it responsibly. We take all reports seriously and will respond within 48 hours.

Contact: security@altha.ai

Please include a detailed description of the vulnerability, steps to reproduce, and potential impact.

This site uses essential cookies for authentication and session management. No tracking cookies are used.