Trust & Security

How AllyProof protects your data and maintains operational security.

Last updated: April 19, 2026

Hosting and Data Region

AllyProof infrastructure is hosted in the European Union. Our primary application servers run on Hetzner Cloud (Falkenstein and Nuremberg, Germany) using ARM-based virtual machines.

Database services are provided by Supabase with data stored in EU-based PostgreSQL instances. All data at rest remains within the EU unless you explicitly configure otherwise.

Static assets and edge caching are served via Cloudflare CDN with global points of presence.

Encryption and Transport Security

• In transit: All connections use TLS 1.2 or higher. Cloudflare provides SSL termination with automatic certificate renewal. HTTP Strict Transport Security (HSTS) is enforced.
• At rest: Database storage is encrypted using AES-256. Backups are encrypted before transfer to storage.
• API keys: Stored as SHA-256 hashes. The original key value is shown once at creation and never stored.
• Passwords: Hashed using bcrypt via Supabase Auth. We never store plaintext passwords.

Authentication and Session Security

• Authentication is handled by Supabase Auth using PKCE (Proof Key for Code Exchange) OAuth flow.
• Email/password and Google OAuth sign-in are supported.
• Sessions are managed via secure, HttpOnly cookies with automatic refresh.
• Row Level Security (RLS) policies enforce multi-tenant data isolation at the database level — users can only access data belonging to their organization.
• Role-based access control (RBAC) with three levels: Owner, Admin, Member. All restricted actions are enforced server-side.

Data Retention and Deletion

• Account data: Retained for 30 days after account deletion request, then permanently removed.
• Scan results: Retained as long as the site exists in your organization. Deleted within 30 days of site removal.
• Activity logs: Retained for 90 days, then automatically purged.
• AI processing: Violation data sent to the Anthropic API for fix suggestions is not retained by Anthropic for training. We do not send full page content — only violation metadata and HTML snippets.

Backup and Disaster Recovery

• Database backups: Automated daily backups via Supabase with point-in-time recovery capability.
• Report storage: Scan reports and VPAT documents are stored in Cloudflare R2 with cross-region redundancy.
• Recovery time objective (RTO): Under 4 hours for full service restoration.
• Recovery point objective (RPO): Under 24 hours (daily backup interval).

Vulnerability Disclosure / Security Contact

If you discover a security vulnerability in AllyProof, please report it responsibly:

• Email: security@allyproof.com
• Please include a description of the vulnerability, steps to reproduce, and any relevant screenshots or logs.
• We will acknowledge receipt within 48 hours and provide an initial assessment within 5 business days.
• We do not pursue legal action against security researchers who act in good faith.

Incident Response Contact

For active security incidents or data breach notifications:

• Emergency: security@allyproof.com with subject line “INCIDENT”
• General support: support@allyproof.com
• We will notify affected customers within 72 hours of confirming a data breach, in accordance with GDPR Article 33.

Accessibility Testing Limitations

AllyProof uses automated scanning tools (axe-core, HTML_CodeSniffer) to detect accessibility issues. It is important to understand the limitations of automated testing:

• Automated testing covers only part of accessibility conformance. Industry estimates suggest automated tools can detect approximately 30-57% of WCAG success criteria violations.
• Automated scans cannot evaluate subjective criteria such as whether alt text is meaningful, whether content order is logical, or whether a user experience is truly accessible.
• A clean automated scan does not guarantee full WCAG conformance. Manual expert testing, assistive technology testing, and user testing are also necessary.
• VPAT documents generated by AllyProof are labeled DRAFT and must be reviewed by a qualified accessibility professional before being used for procurement or compliance purposes.
• AllyProof does not provide legal advice. Scan results should not be interpreted as a legal compliance assessment.

Sub-Processors

AllyProof uses the following third-party services to deliver our product: