This page is designed for your security team's vendor review. VPC isolation, encryption at rest and in transit, no prompt logging, compliance certifications, and responsible disclosure. Everything you need to approve Alveare as a vendor.
Every Alveare customer deployment runs in an isolated Virtual Private Cloud (VPC) with private subnets. GPU instances that run inference have no public IP addresses and no direct internet access. All external communication passes through the API gateway, which handles TLS termination, authentication, rate limiting, and WAF filtering before traffic reaches the inference layer.
GPU instances are deployed in private subnets with security groups that only allow inbound traffic from the API gateway. There is no SSH access to production GPU instances. All management is performed through the orchestration layer, which operates on a separate management plane with its own authentication and audit logging.
EC2 instance metadata service v2 (IMDSv2) is enforced on all instances. This prevents SSRF attacks from accessing instance metadata, which would otherwise expose IAM role credentials. The hop limit is set to 1, preventing containers from accessing the host's metadata endpoint.
All external API communication uses TLS 1.3 with strong cipher suites. We do not support TLS 1.0, 1.1, or 1.2. The supported cipher suites are TLS_AES_256_GCM_SHA384 and TLS_CHACHA20_POLY1305_SHA256. Certificate pinning is available for Enterprise customers who require it.
Internal communication between hive components uses mutual TLS (mTLS) with certificates issued by an internal CA. Certificates are short-lived (24-hour validity) and rotated automatically. Certificate revocation is immediate through the internal CA.
All data at rest is encrypted using AES-256. This includes configuration data, cached model weights, audit logs, and any customer-configured persistent logging. Encryption keys are managed through AWS KMS with customer-managed keys (CMK) available for Enterprise customers.
Key rotation is automatic (annual) by default and configurable. Each customer has a unique encryption key. Key deletion follows a 7-day waiting period with recovery possible during that window.
By default, Alveare does not log the content of inference requests or responses. Request metadata is logged (timestamp, specialist, token count, latency, status code) but the actual prompt text and generated text are never persisted. If you enable optional request logging for debugging, logs are encrypted, stored in your dedicated boundary, and automatically purged after your configured retention period.
API keys are generated using a cryptographically secure random number generator (256 bits of entropy). Keys are never stored in plaintext. The stored representation is a SHA-256 hash of the key, salted with a unique per-key salt. This means that even if the key database were compromised, the actual API keys cannot be recovered.
Keys are prefixed with alv_live_ (production) or
alv_test_ (sandbox) for easy identification.
The full key is shown exactly once at creation time. If lost, it cannot be retrieved and must
be revoked and replaced.
Rate limiting uses a token bucket algorithm applied per API key. Sustained and burst limits vary by plan tier. Rate limit state is stored in-memory with Redis fallback for distributed enforcement. The algorithm is designed to be fair: a key that has been idle accumulates burst capacity, while a key at sustained usage gets a predictable, steady rate.
| Plan | Sustained (req/s) | Burst (req/s) | Concurrent |
|---|---|---|---|
| Starter | 100 | 200 | 25 |
| Professional | 500 | 1,000 | 100 |
| Scale | 2,000 | 5,000 | 500 |
| Enterprise | Custom | Custom | Custom |
The Alveare dashboard supports multi-factor authentication (MFA) via TOTP (Google Authenticator, Authy) and WebAuthn/FIDO2 (hardware security keys). Enterprise customers can configure SAML 2.0 SSO with their identity provider (Okta, Azure AD, OneLogin, etc.). Session tokens expire after 24 hours and are invalidated on password change.
Alveare's infrastructure runs on AWS. Under the shared responsibility model, AWS is responsible for the security of the cloud (physical infrastructure, hypervisor, network), and Alveare is responsible for security in the cloud (instance configuration, network policies, data encryption, access control). We maintain documented controls for every responsibility in our domain.
Alveare uses GPU spot instances for cost efficiency. Spot instances have identical security properties to on-demand instances -- same hypervisor, same network isolation, same encryption. When a spot instance is reclaimed, all GPU memory and local storage is wiped by the hypervisor before the hardware is reallocated. No customer data persists on reclaimed instances.
Annual audit by independent third-party firm. Report available under NDA for customers and prospects in the vendor review process.
Business Associate Agreements available for healthcare customers. Architecture designed for PHI handling with zero data exposure.
Data Processing Addendum (DPA) available. EU-region deployments for data residency. Data subject access and deletion rights supported via API.
Personal information processed only for inference. Never sold or shared. Deletion on request. DPA covers CCPA-specific requirements.
Information security management system certification in progress. Expected completion Q3 2026.
FedRAMP Moderate authorization planned for 2027. Contact sales for current government deployment options.
Alveare engages a third-party penetration testing firm to conduct annual security assessments of our infrastructure, API, and web applications. The scope includes network penetration testing, application security testing (OWASP Top 10), and cloud configuration review.
Penetration test reports are available under NDA for customers in the vendor review process. Contact security@alveare.ai to request the latest report.
We welcome responsible disclosure of security vulnerabilities. If you discover a vulnerability in Alveare's infrastructure or applications, please report it to security@alveare.ai. We commit to:
| Data Type | Stored? | Retention | Encryption |
|---|---|---|---|
| Inference prompt text | No (default) | Not retained | N/A |
| Inference response text | No (default) | Not retained | N/A |
| Request metadata | Yes | 30-365 days (by plan) | AES-256 |
| API key hashes | Yes | Until revoked + 90 days | AES-256 |
| Billing information | Yes (via PayPal) | Per PayPal policy | PCI DSS |
| Audit logs | Yes | 30-365 days (by plan) | AES-256 |
| Specialist configurations | Yes | Until deleted + 30 days | AES-256 |
| Response cache | Yes (temporary) | 1-24 hours (configurable) | AES-256 |
Optional request logging can be enabled per specialist for debugging purposes. When enabled, prompt and response text is stored encrypted in your dedicated boundary for the configured retention period (default: 7 days, max: 90 days), then permanently deleted.
Alveare maintains a documented incident response plan that covers security incidents, data breaches, and service disruptions. The plan follows the NIST incident response lifecycle: preparation, detection and analysis, containment, eradication and recovery, and post-incident activity.
Post-incident, we publish a root cause analysis (RCA) within 5 business days for any incident that affects customer data or service availability. RCAs include timeline, impact assessment, root cause, remediation actions, and preventive measures.
Contact our security team for SOC 2 reports, penetration test results, architecture documentation, or to schedule a security review call.
Contact Security Team