Security

1. Our Security Commitment

At Allies, we understand that the data you entrust to us is deeply personal — custody schedules, court orders, financial records, and private communications about your children. Protecting this information isn't just a feature; it's foundational to everything we do.

We employ multiple layers of security controls, follow industry best practices, and partner with security-certified infrastructure providers to ensure your data remains safe, private, and accessible only to those you authorize.

2. Data Encryption

2.1 Encryption in Transit

All data transmitted between your device and our servers is encrypted using TLS 1.3, the latest and most secure transport layer security protocol. This includes:

• Messages between coparents
• Document uploads and downloads
• Video and voice calls
• API communications
• Authentication credentials

2.2 Encryption at Rest

Data at rest is protected by AES-256 encryption at the infrastructure level, provided by our cloud platform. This is the same standard used by financial institutions and government agencies. This protection covers:

• Database records (messages, schedules, expenses)
• Uploaded files and documents
• Backups and archives

Sensitive credentials such as financial account tokens receive additional application-level AES-256-GCM encryption with unique initialization vectors.

3. Authentication & Access Control

3.1 Multi-Factor Authentication

We support multiple authentication methods to secure your account:

• Email verification: Account verification via one-time codes sent to your email
• TOTP-based MFA: Time-based one-time passwords for two-factor authentication
• Biometric authentication: Face ID, Touch ID, and fingerprint unlock
• OAuth providers: Sign in with Google or Apple for enhanced security
• Session management: View and revoke active sessions from any device

3.2 Biometric Security

When you enable biometric authentication (Face ID, Touch ID, or fingerprint), your biometric data is processed and stored exclusively on your device using secure hardware enclaves provided by Apple and Google. We never receive, transmit, or store your biometric data on our servers.

3.3 Role-Based Access Control

Access to data within Allies is governed by strict role-based permissions. Users can only access data they are authorized to see:

• Coparents: Full access to shared family data
• Step-parents/Guardians/Children: Configurable access based on family preferences
• Children: Read-only calendar access, no messaging
• Professionals: Limited access to specific families who grant permission, with full audit logging

4. Infrastructure Security

4.1 Secure Cloud Infrastructure

Our infrastructure is hosted on enterprise-grade cloud platforms that maintain rigorous security certifications:

• Hosted on SOC 2 Type II certified platforms — Our infrastructure providers (Supabase, Stream, Stripe) undergo annual third-party security audits
• ISO 27001 certified infrastructure — Our cloud platform partners maintain international information security certification
• GDPR-aligned practices — Data deletion rights, consent management, and Standard Contractual Clauses for international data transfers
• Privacy-first architecture — Heightened safeguards for sensitive family information including court documents and financial records

4.2 Network Security

Our infrastructure providers deliver enterprise-grade network protection:

• Firewall protection: Network-level firewalls filter malicious traffic
• DDoS mitigation: Automatic protection against distributed denial-of-service attacks via our CDN and hosting providers
• Intrusion detection: Continuous infrastructure monitoring for suspicious activity
• Regular security scans: Automated vulnerability scanning of our infrastructure

4.3 Data Isolation

Family data is logically isolated using row-level security policies. Even within our database, each family's data is accessible only through authenticated requests from authorized users. Our team cannot access your data without explicit authorization and a documented support reason.

5. Application Security

5.1 Secure Development Practices

• Security-first development: Security requirements are part of every feature design
• Code review: All code changes undergo peer review with security considerations
• Automated security scanning: CI pipeline includes security checks for vulnerabilities
• Dependency scanning: Automated alerts for vulnerabilities in third-party libraries
• OWASP compliance: We follow OWASP guidelines to prevent common vulnerabilities (SQL injection, XSS, CSRF)

5.2 Message Integrity

Messages sent through Allies are designed to be tamper-resistant for potential court use:

• Immutable records: Sent messages cannot be edited or deleted
• Timestamping: All messages have cryptographically verifiable timestamps
• Audit trails: Complete history of actions, access, and changes
• Read receipts: Verifiable delivery and read confirmations

5.3 API Security

• JWT authentication: Secure, time-limited tokens for all API requests
• Rate limiting: Protection against brute-force and abuse
• Input validation: All user input is validated and sanitized
• CORS policies: Strict cross-origin resource sharing controls

6. Data Protection & Privacy

6.1 Data Minimization

We collect only the data necessary to provide our services. We don't sell your data, serve ads, or use your information for purposes beyond operating Allies.

6.2 Data Retention

• Active accounts: Data retained while your account is active
• Account deletion: Personal data deleted within 30 days of account closure
• Backups: Removed from backups within 90 days
• Legal holds: Data subject to legal proceedings is retained as required

6.3 Data Backup & Recovery

• Automated backups: Daily encrypted backups of all data
• Geographic redundancy: Backups stored in multiple secure locations
• Point-in-time recovery: Ability to restore data to any point in time
• Disaster recovery: Tested recovery procedures for business continuity

7. Security Monitoring

We combine infrastructure-level monitoring from our cloud providers with application-level security controls:

• Infrastructure monitoring: Continuous automated monitoring provided by our cloud platform partners
• Rate limiting: Application-level protection against abuse, with per-user and per-endpoint throttling
• Audit logging: Tamper-evident, hash-chained logs of all data access and modifications
• Professional access auditing: Every action by professionals is logged with user, timestamp, and data accessed

8. Incident Response

Despite our best efforts, no system is completely immune to security incidents. We have a documented incident response plan that includes:

• Detection: Automated alerts and manual review procedures
• Containment: Immediate isolation of affected systems
• Investigation: Thorough analysis to understand scope and impact
• Notification: Affected users notified within 72 hours of confirmed breach
• Remediation: Fixes implemented and verified
• Post-incident review: Lessons learned to prevent future incidents

9. Employee Security

We implement security practices appropriate to our team and stage of growth:

• Principle of least privilege: Team members have access only to data and systems required for their role
• Security awareness: Team members are trained on security best practices and data handling
• Encrypted devices: All development devices use full-disk encryption
• Access reviews: Periodic audits of team access permissions
• No direct data access: Customer data is accessible only through authenticated, logged channels

10. Third-Party Security

We carefully vet all third-party services and require them to meet our security standards:

• SOC 2 Type II certification or equivalent
• Contractual data protection obligations
• Regular security assessments
• Data processing agreements compliant with privacy regulations

11. Your Role in Security

Security is a shared responsibility. Here's how you can help protect your account:

• Use a strong password: Or better yet, sign in with Google or Apple
• Enable biometric authentication: Add Face ID or fingerprint for extra protection
• Keep your devices secure: Use device passcodes and keep software updated
• Be cautious with shared devices: Always log out when using shared computers
• Report suspicious activity: Contact us immediately if you notice anything unusual
• Don't share credentials: Never share your login information with anyone

12. Reporting Security Issues

If you discover a security vulnerability or have concerns about the security of Allies, please contact us immediately:

• Security team: security@alliesapp.com
• Response time: We acknowledge security reports within 24 hours

We appreciate responsible disclosure and will work with security researchers to address any legitimate vulnerabilities. We do not pursue legal action against researchers who act in good faith.

13. Questions?

If you have questions about our security practices, please contact us at security@alliesapp.com or support@alliesapp.com.