Security Policy

Security is not a feature at Algorei. It is a foundational principle. Every decision we make, from how we design our architecture to how our team accesses internal systems, is informed by a security-first mindset. We believe our clients deserve a platform they can trust with their business data and their customers' information.

We maintain a dedicated security practice that is responsible for continuous monitoring of our systems, responding to threats, reviewing our controls, and improving our security posture over time. Security is not a one-time configuration. It is an ongoing process of assessment, adaptation, and improvement.

We are transparent about our security practices and limitations. Where absolute guarantees cannot be made (as is the case for any internet-based system) we say so plainly. Our commitment is to take every reasonable step to protect the data entrusted to us and to respond quickly and honestly if something goes wrong.

Encryption in Transit. All data transmitted between your devices and the Algorei platform is encrypted using Transport Layer Security (TLS) version 1.2 or higher. We enforce HTTPS across all services and reject insecure connections. We do not support deprecated cryptographic protocols.

Encryption at Rest. Sensitive data stored within our systems (including client data, configuration data, and communication records) is encrypted at rest using industry-standard encryption algorithms. Encryption keys are managed with strict access controls and rotation policies.

Infrastructure Hardening. Our underlying infrastructure is configured according to security hardening standards. Unnecessary services, ports, and interfaces are disabled. Security patches and updates are applied promptly. Critical patches are deployed as a priority within 24 to 48 hours of availability.

Geographic Redundancy. Our platform is designed to operate across multiple geographic regions to ensure resilience and continuity. In the event of a regional failure, we have procedures in place to fail over to alternate regions to maintain service availability.

Network Security. We implement layered network security controls including firewalls, intrusion detection systems, and network segmentation. Traffic flowing in and out of our systems is monitored continuously for anomalies. Administrative access to our infrastructure is restricted to authorized personnel and is accessible only through encrypted, authenticated channels.

Least Privilege Principle. Access to production infrastructure is governed by the principle of least privilege: no individual or system is granted more access than is strictly necessary to perform their function. Access rights are reviewed regularly and revoked promptly when no longer required.

Secure Development Practices. Security considerations are integrated throughout our software development lifecycle. Our engineering team follows secure coding standards, conducts peer code reviews with a security lens, and receives ongoing training on common vulnerabilities and secure development techniques.

Vulnerability Assessments. We conduct regular security assessments of our application to identify and remediate vulnerabilities before they can be exploited. These assessments include both automated scanning and manual testing. Critical findings are addressed immediately; lower-severity issues are tracked and resolved on a defined schedule.

Input Validation & Output Encoding. Our application validates and sanitizes all user-supplied input before it is processed or stored. Output is encoded appropriately to prevent injection of malicious content. These controls are implemented systematically, not on a case-by-case basis.

Protection Against Common Vulnerabilities. Our security controls are designed to defend against the full spectrum of common web application vulnerabilities, including injection attacks, authentication flaws, data exposure risks, security misconfigurations, and cross-site scripting. We treat our application security program as a living practice that evolves alongside the threat landscape.

Dependency Management. We monitor the third-party libraries and dependencies used in our platform for known security vulnerabilities. When vulnerabilities are identified in dependencies, we assess their impact and apply patches or workarounds as quickly as possible.

Encryption Standards. We use strong, modern encryption algorithms for protecting data at rest and in transit. Our encryption implementations follow current industry best practices and are updated as standards evolve. Sensitive fields (including authentication credentials and payment-related data) are subject to additional layers of protection.

Data Classification. We classify data based on its sensitivity and apply appropriate handling controls for each classification level. Client business data, end-customer communication data, and authentication credentials are treated as the most sensitive category and receive the highest level of protection.

Client Data Segregation. Each client's data is logically segregated from other clients' data within our systems. Our architecture ensures that one client cannot access, view, or interfere with another client's data. This segregation is enforced at multiple layers of our platform, not solely at the application level.

Secure Deletion. When data is deleted (whether at your request, upon account termination, or at the end of our retention period) it is securely overwritten using methods that make recovery infeasible. Backups containing deleted data are purged within 30 days of the deletion event.

Backup & Recovery. We maintain encrypted backups of critical data and system configurations. Backups are tested regularly to verify their integrity and our ability to restore from them. Our recovery procedures are documented and tested to ensure we can restore services within defined timeframes following a data loss event.

Role-Based Access Control. Our platform implements role-based access control (RBAC), ensuring that users (both clients within the platform and Algorei staff accessing internal systems) can only access the data and functionality relevant to their role. Permissions are granted explicitly and are not inherited broadly.

Multi-Factor Authentication. Multi-factor authentication (MFA) is available for all Algorei platform accounts and is required for all internal Algorei team access to production systems and sensitive data. We strongly encourage all clients to enable MFA on their accounts to provide an additional layer of protection against unauthorized access.

Session Management. User sessions are managed securely. Sessions expire after periods of inactivity and upon logout. Session tokens are generated with sufficient entropy to resist guessing attacks and are invalidated server-side upon logout or suspected compromise.

Administrative Access. Administrative access to our production systems and client data is restricted to a minimal number of authorized Algorei personnel. All such access is logged and subject to audit. We do not access client data except as required to deliver the contracted services or to respond to a verified support request.

Access Reviews. We conduct regular reviews of access rights across our systems to ensure that permissions remain appropriate as roles change. Access is promptly revoked upon team member departure or role change.

AI System Safeguards. Our AI-powered features (including automated communication systems, conversation handling, and lead qualification) are designed with explicit boundaries on their behavior. AI systems are constrained to operate within the scope of their configuration and cannot take actions outside their defined parameters without explicit system triggers.

Call Recording & Transcript Security. Where our platform records calls or generates transcripts on your behalf, this data is encrypted in transit and at rest, stored with access controls matching the sensitivity of the content, and retained only for the period specified in our data retention policy. Access to recordings and transcripts is restricted to authorized users within your account.

Automated Communication Safeguards. All automated communication workflows are deployed only after explicit approval by the client. Our systems include rate limiting and anomaly detection to prevent automated communications from being sent at abnormal volumes or to unintended recipients. These safeguards are designed to protect both your business reputation and your end-customers from misconfigured automations.

Unauthorized Trigger Prevention. Automation workflows include authentication and validation controls to ensure that they can only be triggered by authorized sources and events. We implement strict input validation on all triggers to prevent injection-based attacks or spoofed events from activating your workflows without authorization.

Model & Content Guardrails. Our AI systems are configured with content guardrails to prevent the generation or transmission of harmful, inappropriate, or non-compliant content. These guardrails are evaluated and updated regularly to maintain alignment with acceptable use standards.

Detection & Identification. We operate continuous monitoring across our infrastructure and application layers. Alerts are configured to detect anomalous activity, unauthorized access attempts, and potential data compromise events. Our team investigates all security alerts promptly to determine whether an actual incident has occurred.

Containment. Upon confirming a security incident, our first priority is containment: preventing further damage or unauthorized access. Containment procedures may include isolating affected systems, revoking compromised credentials, blocking malicious traffic, or temporarily suspending affected services to protect data integrity.

Client Notification. In the event of a confirmed security incident that has affected (or is reasonably likely to have affected) your data, we will notify you within 72 hours of confirming the breach. Our notification will include: the nature of the incident, the categories of data affected, the likely consequences of the breach, and the measures we have taken or propose to take to address it. We will provide updates as our investigation progresses.

Regulatory Notification. Where applicable law requires notification of a data breach to regulatory authorities, such as under GDPR Article 33, we will fulfill this obligation within the required timeframes and in the required format. Where clients are data controllers, we will cooperate fully with your own notification obligations.

Remediation. Following containment, we investigate the root cause of the incident, remediate the identified vulnerability or gap, and implement additional controls to prevent recurrence. We document all incidents, our response actions, and the outcomes of our remediation efforts.

Post-Incident Review. After every significant security incident, we conduct a formal post-incident review to identify lessons learned and improvements to our processes, controls, and monitoring. The outputs of these reviews are incorporated into our security roadmap.

GDPR. Algorei is committed to compliance with the General Data Protection Regulation (GDPR) for clients and end-customers located in the European Economic Area and the United Kingdom. This includes maintaining lawful bases for processing, honoring data subject rights, implementing appropriate technical and organizational measures, and offering Data Processing Agreements upon request.

CCPA. For California residents, we comply with the California Consumer Privacy Act (CCPA) and its amendments. We do not sell personal information, we honor consumer rights requests, and we maintain the disclosures required by California law.

SOC 2 Alignment. While we have not yet completed a formal SOC 2 Type II audit, our security controls and practices are designed and operated in alignment with the SOC 2 Trust Services Criteria covering security, availability, processing integrity, confidentiality, and privacy. Pursuing a formal SOC 2 certification is part of our compliance roadmap.

Industry-Specific Compliance Support. We recognize that many of our clients operate in regulated industries with additional compliance requirements. For healthcare providers, we implement HIPAA-aligned data handling practices (including access controls, audit logs, and encryption standards consistent with HIPAA's Security Rule requirements) and will work with clients to execute a Business Associate Agreement (BAA) where applicable. Clients in other regulated industries should contact us to discuss their specific requirements before onboarding.

Compliance Reviews. We conduct internal compliance reviews on a regular basis to assess our adherence to applicable legal and regulatory requirements and to identify areas for improvement. Our compliance posture evolves alongside changes in the regulatory landscape.

We value the security research community and recognize its important role in helping organizations identify and address vulnerabilities. If you discover a security vulnerability in any Algorei system, we ask that you report it to us responsibly before disclosing it publicly.

How to Report. Submit your findings by email to contact@algorei.com with the subject line "Security Vulnerability Report." Please include a clear description of the vulnerability, the steps required to reproduce it, the potential impact, and any supporting evidence such as screenshots or proof-of-concept code. Please do not exploit the vulnerability beyond what is necessary to demonstrate its existence.

Our Response Commitment. We will acknowledge receipt of your report within 48 hours. We will keep you informed of our investigation progress and the steps we are taking to address the reported issue. We aim to resolve confirmed vulnerabilities as quickly as possible, with critical issues prioritized for immediate remediation.

Safe Harbor. Algorei will not pursue legal action against researchers who discover and report security vulnerabilities in good faith, provided they: (a) do not access, modify, or delete data beyond what is strictly necessary to demonstrate the vulnerability; (b) do not disrupt our services or negatively impact other users; (c) do not share vulnerability information with any third party before we have had the opportunity to address it; and (d) comply with all applicable laws in their jurisdiction while conducting their research.

Acknowledgment. We maintain an internal hall of fame acknowledging researchers who have contributed to improving our security. With your permission, we will recognize your contribution publicly. We do not currently offer financial bug bounties but are evaluating a formal program.

Security is a shared responsibility. While Algorei secures the platform and infrastructure, your cooperation is essential to maintaining the security of your account and your customers' data.

Credential Security. You are responsible for keeping your account credentials (including passwords and any API keys or access tokens) confidential and secure. Use strong, unique passwords for your Algorei account. Do not reuse passwords from other services. Never share your credentials with anyone who does not need access to your account, and never send credentials via unencrypted channels such as email or messaging apps.

Enable Available Security Features. We strongly encourage all clients to enable multi-factor authentication (MFA) on their Algorei account. This single step dramatically reduces the risk of unauthorized account access even if your password is compromised. Take advantage of any session management and access notification features available within the platform.

Report Suspicious Activity. If you notice any suspicious activity on your account (including unexpected logins, unfamiliar changes to your automation configurations, or communications sent that you did not authorize), please report it to us immediately at contact@algorei.com. Prompt reporting is essential to limiting the impact of any potential security incident.

Maintain Updated Information. Keep your billing contact, email address, and phone number current in your account settings. These details are critical for us to reach you quickly in the event of a security incident or suspicious account activity. Outdated contact information can significantly delay our ability to notify you.

Team Training. If you grant access to the Algorei platform to team members or employees, ensure they understand their security responsibilities, including protecting their credentials, recognizing phishing attempts, and reporting suspicious activity. Your team's security awareness is a critical component of your overall security posture. Promptly revoke access for team members who no longer require it.

Compliance with Acceptable Use. Your use of Algorei's services in compliance with our Acceptable Use Policy (detailed in the Terms of Service) is itself a security measure. Prohibited activities such as unauthorized access attempts and policy violations can create security risks for you, Algorei, and other clients. Compliance is expected and enforced.