Security Questionnaire

Does AluminatAI have a formal information security policy?

Yes. We maintain a written information security policy covering access control, incident response, vulnerability management, and acceptable use. The policy is reviewed annually.

Does AluminatAI conduct periodic security risk assessments?

Yes. We conduct internal security reviews quarterly and engage third-party assessors for penetration testing. We are pursuing SOC 2 Type I certification.

Is there a designated security owner or team?

Yes. A named security owner is responsible for the security program, policy compliance, and coordinating incident response.

Does AluminatAI have an incident response plan?

Yes. We maintain a written incident response plan covering detection, containment, eradication, recovery, and post-incident review. For breaches involving personal data, we follow GDPR 72-hour notification requirements.

How is data encrypted in transit?

All data in transit is encrypted using TLS 1.2 or higher. TLS 1.0 and 1.1 are disabled across all endpoints.

How is data encrypted at rest?

Data at rest is encrypted using AES-256, managed by Supabase. Database backups are also encrypted at rest.

What data does AluminatAI collect from customer infrastructure?

The monitoring agent collects only GPU telemetry: power draw (W), temperature (°C), utilization (%), memory used/total, and process-to-job mapping. It does not access model weights, training data, or filesystem contents.

How long is customer data retained?

By default, metric data is retained for 90 days. Enterprise customers can configure custom retention periods. Users may request deletion at any time via the dashboard or by emailing privacy@aluminatiai.com.

Does AluminatAI share customer data with third parties?

No customer data is sold or shared with third parties for advertising or analytics. Sub-processors (Vercel for hosting, Supabase for database, Resend for transactional email, Stripe for billing) are listed in the DPA.

Are database backups performed, and how are they secured?

Supabase performs automated point-in-time recovery (PITR) backups. Backups are encrypted at rest and stored in geographically redundant locations.

Is customer data logically isolated from other customers?

Yes. Row-Level Security (RLS) policies are enforced at the database layer. Each authenticated user can only read and write rows associated with their own account. Service-role credentials are never exposed to client-side code.

How are API keys secured?

API keys use the prefix "alum_" followed by 59 random characters from a 54-character charset, providing approximately 340 bits of entropy. Keys are stored as SHA-256 hashes in the database — never in plaintext.

Does AluminatAI enforce multi-factor authentication for internal systems?

Yes. Production database access and cloud console access require MFA for all authorized personnel.

Is the principle of least privilege applied to internal accounts?

Yes. Internal service accounts and personnel are granted only the minimum permissions required for their role. Access is reviewed periodically.

How are customer authentication sessions managed?

Customer sessions use Supabase Auth with secure HTTP-only cookies. Sessions expire after inactivity. Password resets use time-limited, single-use tokens.

Can enterprise customers use SSO / SAML?

SSO/SAML integration is available on the Enterprise plan, supporting Okta, Azure AD, and Google Workspace as identity providers.

How are API key rotations handled?

API key rotation is available via the dashboard (POST /api/user/profile with action: rotate_api_key). Rate-limited to 5 rotations per hour to prevent abuse. Old keys are invalidated immediately upon rotation.

Are there audit logs of access to sensitive operations?

Yes. All administrative actions (chargeback rate changes, API key rotation, report exports) are recorded in an immutable audit log retained for 90 days. Enterprise customers can retrieve logs via the API.

Where is AluminatAI infrastructure hosted?

The application is hosted on Vercel (SOC 2 Type II certified). The database is hosted on Supabase (SOC 2 Type II certified). No customer data is stored on developer laptops or unmanaged systems.

Does AluminatAI have a SOC 2 report?

AluminatAI is pursuing SOC 2 Type I certification. In the interim, our infrastructure sub-processors (Vercel and Supabase) hold SOC 2 Type II certifications, available upon request.

What HTTP security headers does AluminatAI set?

All responses include: Strict-Transport-Security (HSTS), X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, and a Content-Security-Policy.

How is the API protected against abuse?

Rate limiting is enforced at the API layer using a sliding-window algorithm: 100 requests/minute on the metrics ingest endpoint, 60 requests/minute on dashboard endpoints, and 5 API key rotations per hour.

Is there network segmentation between the application and database?

Yes. The application connects to the database via Supabase's managed connection pooling. Direct database access is restricted to authorized personnel over MFA-protected connections; it is not publicly accessible.

Does AluminatAI support high availability and disaster recovery?

The application tier is served from Vercel's globally distributed edge network. The database uses Supabase's managed HA configuration with PITR. Our target RTO is 4 hours and RPO is 1 hour.

How does AluminatAI validate input data from agents?

Server-side validation is applied to all ingested telemetry: power must be 0–1500 W, temperature must be 0–120 °C, and timestamps must fall within 5 minutes of the server clock. Out-of-range values are rejected with a 422 error.

Are Stripe webhook signatures verified?

Yes. All incoming Stripe webhook events are verified using Stripe's signature verification (stripe.webhooks.constructEvent) before any processing occurs.

How are dependencies managed and scanned?

Python agent dependencies are pinned to exact versions in requirements.txt. Node.js dependencies use npm with a lockfile. CI runs npm audit and pip-audit on every pull request.

Does AluminatAI conduct code reviews?

Yes. All changes to production code require a pull request review. Security-sensitive changes (auth, billing, data access) require explicit approval.

Is there a vulnerability disclosure program?

Yes. Researchers may report vulnerabilities to security@aluminatiai.com. We acknowledge within 2 business days and aim to resolve critical issues within 30 days. We credit researchers who disclose valid vulnerabilities.

How does AluminatAI protect against OWASP Top 10 vulnerabilities?

We apply defense-in-depth: parameterized queries prevent SQL injection, RLS enforces authorization at the DB layer, CSP and X-Frame-Options mitigate XSS/clickjacking, all user input is validated server-side, and dependencies are scanned for known CVEs.

What permissions does the monitoring agent require on host systems?

The agent reads GPU telemetry via NVML (NVIDIA Management Library). It runs as a dedicated non-root system user ("aluminatai") with minimal permissions. It does not require access to model weights, training data, or general filesystem contents.

How is the agent hardened when deployed via systemd?

The provided systemd unit applies: NoNewPrivileges=true, PrivateTmp=true, ProtectSystem=strict, ProtectHome=true, and RestrictSUIDSGID=true.

What happens if the agent loses network connectivity?

The agent uses a local Write-Ahead Log (WAL) to buffer metrics during outages. Upon reconnection, buffered metrics are uploaded with exponential backoff. No metrics are lost during temporary network interruptions.

Is mTLS supported for environments requiring mutual authentication?

Yes. The agent supports mTLS for environments that require mutual TLS authentication between the agent and the AluminatAI API.

Is the agent source code available for review?

Yes. The agent source code is published at github.com/aluminatai/agent under the MIT License.

Is AluminatAI GDPR compliant?

Yes. AluminatAI acts as a data processor for customer personal data. We offer a pre-signed Data Processing Agreement (DPA) covering GDPR Article 28 requirements, including sub-processor lists, data subject rights, and breach notification within 72 hours.

Does AluminatAI offer a Data Processing Agreement (DPA)?

Yes. A pre-signed DPA is available at aluminatiai.com/legal/dpa. Enterprise customers can request a countersigned copy by emailing sales@aluminatiai.com.

Does AluminatAI offer a Master Services Agreement (MSA)?

Yes. An MSA template is available to enterprise customers. Contact sales@aluminatiai.com to initiate the contracting process.

What is AluminatAI's uptime SLA for enterprise customers?

Enterprise customers receive a contractual 99.9% monthly uptime SLA for the API ingest endpoint and dashboard, with service credits for missed targets as specified in the SLA addendum.

Where can I find the current service status?

Real-time and historical status is available at aluminatiai.com/status. The status page polls the health endpoint every 30 seconds and checks the ingest endpoint availability.