Your construction documents contain sensitive commercial information. Protecting them is fundamental to everything we build.
Governance
Compliance is managed through Vanta, with a dedicated Technical Security Lead overseeing all security operations.
Our security policies are based on the following foundational principles:
Access is limited to only those with a legitimate business need, enforced through role-based access control.
Security controls are layered across network, application, and data tiers — no single point of failure.
Each organisation’s data is completely isolated at the database level. Cross-tenant access is architecturally impossible.
Security controls are iterative, continuously maturing through monitoring, scanning, and incident response.
Alloovium is currently pursuing SOC 2 Type I and ISO 27001 certification. Our compliance program is managed through Vanta, enabling continuous monitoring of our security controls and automated evidence collection.
Alloovium runs on AWS in the ap-southeast-2 (Sydney, Australia) region, using serverless containers on ECS Fargate with multi-AZ load balancing. Our infrastructure is designed with network segregation as a core principle.
Staging and production environments are completely separate — different databases, credentials, queues, secrets, and load balancers. A compromise in staging cannot affect production data.
Separate per env
Separate per env
Separate per env
Separate per env
Content Security Policy (CSP) with nonce-based scripts, X-Frame-Options: DENY, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy disabling camera, microphone, and geolocation.
Pattern-based detection for SQL injection, XSS, path traversal, and command injection. Request size limits enforced. File upload endpoints validated.
Tiered rate limiting is configurable via env settings: auth endpoints are on a higher threshold for frequent status checks, with separate limits for standard, ingestion, chat, and search routes.
No wildcard CORS origins in production — only alloovium.com domains allowed. Host header validation prevents injection attacks.
On every deployment, our application validates security settings at startup — CORS origins, JWT configuration, rate limiting, and auth settings. If any check fails, the application refuses to start.
Enterprise-grade authentication via Clerk with support for email/password, Google, and Microsoft SSO. Optional two-factor authentication (TOTP) with backup codes.
Four role levels — Admin, Manager, Member, Viewer — with row-level security at the database layer. All API requests scoped to the authenticated user’s organisation.
JWT verification (RS256) via JWKS on every API request. JWT secrets enforced to minimum 64 characters. Production startup validation blocks misconfigured deployments.
Continuous threat detection monitoring across CloudTrail logs, VPC Flow Logs, DNS logs, S3 data events, and RDS login activity.
Structured application logging with request tracing (request ID, user ID, tenant ID) across all services via CloudWatch. Sensitive data automatically excluded from logs.
Dependabot enabled for automated dependency and security scanning. Software composition analysis (SCA) identifies known vulnerabilities across our dependency chain. Regular dependency updates with security patches prioritised.
Documented incident response plan maintained in readiness. Dedicated security roles with clear escalation paths.
Your documents are your data. We never use customer documents to train AI models. All document processing happens within our secure infrastructure, and access is strictly limited to the authenticated users within your organisation.
Primary infrastructure hosted in Sydney, Australia (AWS ap-southeast-2). Document storage and databases remain in-region.
Documents served via time-limited pre-signed URLs with 15-minute expiry. No permanent public URLs are generated.
Deleted documents are removed from storage and search indexes. You can request complete account data deletion at any time.
We’re happy to discuss our security posture in detail. Reach out to our team for more information.