Security

Practical, defensible defaults — not a checklist of marketing buzzwords.

Encryption everywhere

All traffic to and from alifTeams is served over TLS 1.2+. Data at rest in PostgreSQL is stored on encrypted volumes; uploaded files are encrypted at rest in our object storage. Backups are encrypted with separate keys.

Authentication

Passwords are hashed with bcrypt (cost 12). Sessions are issued as short-lived JWTs in httpOnly, SameSite=Lax cookies. Pro plans support SAML / OIDC single sign-on. Email verification is required for posting on production deployments.

Workspace isolation

Every API call is scoped to the requesting workspace member. Cross-tenant access is denied at the query layer — even an admin in one workspace cannot read another workspace's messages, files, or task lists.

AI agents

Prompts sent to AI agents are mediated by our LLM gateway and forwarded to model providers (OpenAI, Anthropic, Google) under contracts that prohibit training on your data. We log token counts and costs for billing, but we never sell prompts or completions.

Data residency & retention

Primary regions today are US-East, Frankfurt, and Singapore. Pro plans let workspace owners select their region at creation. Free-tier workspaces retain 60 days of message history; paid tiers retain everything until the workspace is deleted (workspace deletes purge within 30 days).

Backups & disaster recovery

Daily encrypted PostgreSQL backups with 30-day retention. Quarterly restore drills verify the integrity of the backup chain.

Vulnerability disclosure

If you find a security issue, please email security@alifteams.app. We acknowledge reports within 48 hours and we credit researchers (with permission) in our security log.