GuideAPI Doc

Security

Overview

Alphractal applies strict security and privacy standards to protect user data, accounts, and API access.
We use encryption, authentication, and scoped permissions to ensure that every integration and user action is verifiable and controlled.

Purpose

Security at Alphractal is designed to:

  • Protect user identities and API credentials.

  • Prevent unauthorised access or data exposure.

  • Maintain auditability for enterprise and institutional clients.

  • Comply with international data protection standards.

Account Security

Password Policy

  • Minimum 10 characters, with letters and numbers.

  • Periodic rotation is recommended.

  • Passwords are never stored in plain text.

Roles & Permissions

Alphractal supports role-based access control (RBAC) in all team workspaces.

Default roles

Role

Access level

Owner

Full control over workspace, billing, and API

Admin

Manage members, dashboards, and reports

Analyst

Read and create dashboards, alerts, reports

Viewer

Read-only access to dashboards and analytics

Roles can be updated at any time by workspace owners.

API Security

API Keys

  • All programmatic access uses API keys.

  • Keys are created in Account → API Keys.

  • Each key includes a unique scope (read/write/alerts).

  • Keys can be rotated or revoked at any time.

Good practices

  • Do not share keys publicly or include them in code repositories.

  • Use separate keys for production and testing.

  • Enable IP restrictions whenever possible.

IP Allowlists

  • Define which IPs are allowed to use your API key.

  • Requests from unlisted IPs are automatically rejected.

  • Recommended for institutional or automated systems.

Encryption

  • All API traffic uses TLS 1.2+ encryption.

  • Sensitive data is encrypted at rest using AES-256.

  • Keys and tokens are stored with salted hashing.

Data Protection & Compliance

  • All systems follow GDPR and Australian Privacy Principles (APP).

  • No user data is shared with third parties without consent.

  • Aggregated metrics and reports are anonymised by default.

  • Institutional clients can request data processing agreements (DPA).

  • Audit logs are available upon request for enterprise accounts.

Monitoring & Incident Response

  • Real-time monitoring for anomalies and suspicious behaviour.

  • Automated rate limiting and abuse detection on all endpoints.

  • Incident response plan in place with 24/7 escalation for Institutional clients.

  • Updates and maintenance notices are published on the Status Page.

Reporting Security Issues

We encourage responsible disclosure of vulnerabilities.
If you find a potential issue, contact our security team directly:

Email: security@alphractal.com
Response target: within 48 hours.
Critical incidents are prioritised and handled immediately.