Encryption
Your secrets are encrypted at rest with AWS KMS, sessions are secured with per-tenant HMAC, and all traffic is encrypted in transit with TLS.
KMS-encrypted secrets
Your AI provider keys, channel tokens, and other sensitive configuration are encrypted using AWS KMS before being stored in DynamoDB. Each encryption operation uses a unique data key. Secrets are never stored in plaintext, never in environment variables, and never in container images.
Per-tenant HMAC sessions
Each workspace uses its own HMAC secret for session signing. Compromising one tenant's session key has zero impact on other tenants. Session secrets are generated using cryptographically secure random bytes.
TLS everywhere
All traffic between your browser and Alpha Agent is encrypted with TLS 1.2+. HSTS headers are set with a 1-year max-age. Per-user wildcard certificates are provisioned automatically via ACM.
Encrypted backups
Nightly workspace backups are stored in S3 with server-side encryption (AES-256). Each user's backup is stored in an isolated S3 prefix, with IAM policies preventing cross-user access.