TRUST · SECURITY POSTURE

How we run security.

The public version of how we operate our own business, written so a buyer can evaluate us with the same rigour we ask of every other vendor. Last updated May 2026.

RELATED
Privacy · Responsible Disclosure · Accessibility

Alora Networks is a security company. This page is the public version of how we run the security and operations of our own business, so a buyer can evaluate us with the same rigour we ask of every other vendor.

If a control listed here is in flight rather than complete, we say so. Trust is built on what you do, not what you claim.

1. Hosting and Infrastructure

  • Website hosting: Cloudflare Pages. The Site is built as static HTML, CSS, and JavaScript and served from Cloudflare’s global edge network. There is no server-side execution path that touches user data on the public Site.
  • Email and document storage: Google Workspace, with two-factor authentication required on every account.
  • Internal tooling: Cloudflare Workers and Workers KV for ad-hoc service tooling. Self-hosted n8n on hardened infrastructure for workflow automation.
  • DNS and TLS: Cloudflare-managed DNS with DNSSEC enabled. TLS 1.3 with HSTS preload on all public hostnames. Email authentication: SPF, DKIM, and DMARC enforced at p=quarantine or stricter.

2. Data Protection in Transit and at Rest

  • In transit: All public traffic is encrypted in transit over TLS 1.3. HTTP requests are redirected to HTTPS automatically.
  • At rest: Data stored in Google Workspace and Cloudflare-managed services is encrypted at rest using the providers’ default mechanisms (AES-256 or equivalent). Where we store additional operational data on self-hosted infrastructure, full-disk encryption is enabled.
  • Secrets management: API keys, credentials, and other secrets are stored in encrypted secret stores (Cloudflare environment bindings, 1Password). Secrets are never committed to source control.

3. Access Control

  • Principle of least privilege: Access to systems, customer data, and production infrastructure is scoped to the people who need it for their role. No-shared-account policy.
  • Authentication: Every system that supports it requires two-factor authentication. Hardware keys are used where the system supports them.
  • Endpoint security: Workstations used to access customer data are full-disk encrypted, run reputable EDR (Huntress) and OS-level protections, and require auto-locking screensavers.
  • Offboarding: Access reviews are performed when team members change roles or leave. Tokens, accounts, and key access are revoked the same day.

4. Multi-Tenancy and Data Isolation

Customer data is logically segregated at the application and tenant level. We do not co-mingle customer datasets in shared tables or shared storage paths. Sample data, synthetic data, and customer data are separated.

We do not use customer data to train AI models. See Section 9 for full AI use disclosure.

5. Vulnerability Management

  • Public reporting: Outside researchers can report issues through our Responsible Disclosure policy. We acknowledge in 2 business days and triage in 7.
  • Patch cadence: Critical patches are applied within 7 days for systems we operate. High-severity patches within 30. Dependency vulnerabilities surfaced by Dependabot or equivalent are reviewed weekly.
  • Penetration testing: Annual third-party penetration tests are planned as part of our SOC 2 readiness work (see Section 11). Until that’s in place, internal red-team testing is performed during major releases.

6. Logging and Monitoring

  • Application and access logs: Cloudflare access logs and Google Workspace audit logs are retained for at least 180 days.
  • Operational monitoring: Uptime and infrastructure monitoring via LibreNMS and Cloudflare analytics. Alerts route to on-call humans, not just email.
  • Anomaly detection: Failed-login alerts, geographic-anomaly alerts, and rate-limit anomalies on form submission paths are reviewed weekly.

7. Incident Response

We maintain a written incident response plan covering detection, containment, eradication, recovery, and post-incident review. Severity is classified P1 through P4 with response targets attached to each level.

Customer-impacting incidents are communicated to affected customers within 24 hours of confirmation, with a written post-incident report available within 10 business days.

Privacy breaches that meet the threshold under PIPEDA, Quebec Law 25, or applicable US state law are reported to the relevant regulators and to affected individuals as required by those laws. See Section 7 of our Privacy Policy for details.

8. Vendor Management and Sub-Processors

We maintain a deliberately small vendor footprint and review every new vendor before introducing them. Each sub-processor we use to operate the Site or deliver services is listed below, with the data they process and where it is processed.

Current sub-processors

  • Cloudflare — Website hosting (Cloudflare Pages), DNS, CDN, edge security, web analytics. Processes IP addresses and request metadata. Global edge network with US headquarters. Privacy policy.
  • Web3Forms — Form submission delivery. Receives name, email, company, message, and any other field submitted through a public form, and forwards the content to our inboxes. Processed in the US. Privacy policy.
  • Google Workspace — Email and document storage for aloranetworks.com mailboxes. Processes the content of inbound and outbound email, including form submissions delivered by Web3Forms. Global infrastructure with US headquarters. Privacy policy.
  • Ahrefs — SEO audit data source. Receives the website URL submitted to the SEO audit tool to produce technical and content analyses. Does not receive contact information. Singapore-headquartered with global infrastructure. Privacy policy.
  • SOCRadar — External threat intelligence platform used to produce the free threat assessment reports. Receives the domain submitted to /threat-assessment and returns dark-web mentions, leaked credentials, and exposed-asset analysis. United States. Privacy policy.

This list is dated below and reviewed every quarter. Material additions are reflected in this section and announced in the “Changes” entry at the bottom of the page.

9. AI Use Disclosure

We are an AI-driven operations company. We use AI as a core part of how we deliver services. We are explicit about where and how.

Where we use AI

  • Audit and assessment production. The free SEO audit and threat assessment reports are generated with a combination of third-party data feeds (Ahrefs, SOCRadar) and AI-assisted narrative generation. A human reviews every audit and assessment before it is sent to you.
  • Agent workflows we ship for customers. Agents we build for customer engagements use a combination of Anthropic (Claude), OpenAI, and locally hosted models. The model selection is documented per workflow and aligned to the cost-and-stakes profile of the sub-task.
  • Internal operations. AI assistance is used in software development, research, and content drafting for the Site itself. All public-facing copy is reviewed by a human before publication.

What we do not do with AI

  • We do not use customer data to train AI models. Our customer data is processed by AI providers under contracts that prohibit training on inputs.
  • We do not make automated decisions about you that have legal or similarly significant effects. Hiring, credit, eligibility, and similar decisions are not made by AI on this Site or in our services.
  • We do not represent AI-generated content as written entirely by a human. Where AI assisted significantly with a deliverable, we say so.

Your rights regarding AI

If you submit information through the Site and an AI processes it as part of producing your audit, assessment, or response, you have the same rights under privacy law as you would for any other processing: access, correction, deletion, and withdrawal of consent. See Section 9 of our Privacy Policy.

10. Business Continuity

  • Backups: Critical operational data is backed up on a daily schedule with offsite copies. Backup restoration is tested quarterly.
  • Provider redundancy: Our public Site is statically hosted on Cloudflare’s global edge, which provides geographic redundancy by design. We do not operate a single-region single-instance public site.
  • Operational handoff: Founder-led operations are documented in run-books so that critical functions can be handed off in the event of an emergency.

11. Compliance and Frameworks

  • PIPEDA, Quebec Law 25, CASL, CAN-SPAM, CCPA / CPRA: Compliance is described in our Privacy Policy.
  • SOC 2 Type 1 readiness: In planning. We have selected an audit framework and are scoping the controls work. Target audit window will be communicated when locked.
  • ISO 27001: Not currently in scope.
  • GDPR: We do not actively market to EU residents. If a Site visitor from the EU submits a form, we will honour data-subject rights consistent with PIPEDA and the additional rights GDPR grants. A formal GDPR posture is on the roadmap if EU customer demand becomes material.

12. Employee Security

  • Background: All Alora team members complete a basic background check before access to customer environments.
  • Security training: Annual security and privacy training. Phishing-resistance training on a six-month cadence.
  • Confidentiality: All team members and contractors sign confidentiality and data-handling agreements before customer engagement work begins.

13. Data Processing Agreement

For customers who require a Data Processing Agreement (DPA) covering PIPEDA, CCPA, or other applicable privacy law, we maintain a standard DPA template. Contact [email protected] and we will share the current version. We are happy to negotiate reasonable amendments.

14. Changes

This page is reviewed and updated quarterly at minimum, and whenever a material change occurs to the security posture, the sub-processor list, or our AI use. The “Last updated” date in the page header reflects the most recent material change.

Notable history:

  • May 2026 — Initial publication.