AlertaCert
PricingSecuritySupport
Log inStart free
Technical security

How we protect your certificates

AlertaCert stores critical tax credentials. These are the specific technical measures we apply, without marketing euphemisms.

AES-256-GCM encryption at rest

All certificate files (.p12, .cer, .key, .pem) are stored encrypted with AES-256-GCM. Certificate passwords are never stored in plain text — they are encrypted before being written to the database.

Standard used by financial institutions and governments worldwide.

Authentication with access key (Passkey / WebAuthn)

AlertaCert supports biometric access keys (Face ID, fingerprint, Windows Hello) as a second factor of authentication. Access keys are resistant to phishing by design — they are never transmitted to the server.

Available on all plans. Administrators can require them for all team members.

Re-authentication for sensitive actions

High-risk actions — revealing password, downloading certificate, deleting, signing documents, managing members — require recent re-authentication. If your session is old, you will be asked to confirm your identity before proceeding.

Mitigates the risk of hijacked sessions even with an active session.

Role-based access control

Each organization has administrator and member roles. Members cannot invite users, change roles, delete customers, or cancel signing flows. Administrators control exactly which permissions are sensitive in their organization.

Real-time seat limit applied — no ghost access.

Immutable audit log

Each sensitive action — upload, download, password reveal, signing, deletion, role change — is logged to an audit log. The log has no INSERT policy for normal users: only the service client can write to it.

Administrators can filter the full history from Settings → Audit.

Rate limit on sensitive endpoints

Upload, download, signing, and authentication endpoints have rate limits per user. Excessive attempts are blocked before reaching the database.

The system fails openly in DB errors — never blocks legitimate users due to infrastructure errors.

Row-Level Security across the entire database

Each database table has RLS (Row-Level Security) enabled. One organization's data is inaccessible from another organization's queries, even if the same database instance is used.

Data isolation guaranteed at the database engine level, not just in application code.

Validation of files on upload

Each uploaded file is validated by magic bytes before storage. A file that is not valid DER/PKCS12 or PEM is rejected. No arbitrary files disguised as certificates are ever stored.

Downloads are served through a server-side proxy with Cache-Control: no-store.

Third-party infrastructure

AlertaCert does not operate its own servers. We trust certified infrastructure providers.

DatabaseSupabase (PostgreSQL) — managed infrastructure with automatic backups
StorageSupabase Storage — private buckets, signed access, RLS applied
AuthenticationSupabase Auth — short-lived JWT tokens
PaymentsStripe — AlertaCert never stores card data
MailResend — only notification metadata, no certificate content
TransportHTTPS mandatory on all endpoints. No HTTP exceptions.

What we never do

  • Sell or share certificate data with third parties
  • Store certificate passwords in plain text
  • Transmit certificate files to external services (except to encrypted storage)
  • Use advertising tracking cookies
  • Record file content — only metadata (name, type, expiration)

Did you find a vulnerability or have security questions?

support@alertacert.com