Skip to content

Security and Privacy

Aliveo AI is built with security and privacy as foundational principles, ensuring that customer data is protected at every layer of the architecture. Our approach includes strict data isolation, encryption, access controls, and continuous monitoring to maintain the highest standards of security.

Architecture and Network Isolation

Our platform defaults to a multi-tenant model but can also run single-tenant on request:

  • Multi-Tenant (Default): Customers share a common VPC with logically isolated subnets (front-end APIs, application services, databases) enforced by strict NACLs and security groups. This delivers lower cost, faster onboarding, and centralized updates.

  • Single-Tenant: Each customer gets its own VPC with separate subnets for front-end APIs, application services, and databases. Dedicated resources provide stronger isolation, no “noisy neighbors,” and full control over network policies—ideal for strict compliance or custom configurations.

Storage and Encryption at Rest

Persistent data resides in individual database instances or object storage buckets dedicated to each tenant. Ephemeral storage, such as cache volumes, also exists only within the customer’s VPC. All storage resources are encrypted using customer-managed keys (CMKs) via a Key Management Service (KMS), ensuring that data, backups, and snapshots remain encrypted. Key rotation is handled by the customer’s KMS policy, and Aliveo AI’s monitoring tools verify active key usage.

Encryption In Transit

External client-to-API communication uses HTTPS with a minimum of TLS 1.2, while internal service-to-service traffic is routed through a service mesh enforcing mutual TLS (mTLS). API gateways, ingress proxies, and database drivers are configured to require encrypted connections. If customers opt for private connectivity, network-layer encryption (IPSec or MACSec) provides an additional layer of protection.

Processing Layer and Access Controls

Compute workloads run in clusters, with each customer assigned a dedicated namespace or separate cluster. Container images undergo vulnerability scanning before deployment, and secrets are injected via a cloud provider’s encrypted secrets management service. Authenticated APIs enforce tenant-scoped requests using JSON Web Tokens (JWTs), ensuring that data operations are limited to the correct customer. IAM roles and service accounts follow the principle of least privilege: developers cannot access production data, operators cannot modify encryption settings, and auditors have read-only log access.