AlertaCert
PricingBlogSecuritySupport
Log inStart free
Technical security

How we protect your certificates

AlertaCert stores critical tax credentials. These are the specific technical measures we apply, without marketing euphemisms.

AES-256-GCM encryption at rest

All certificate files (.p12, .cer, .key, .pem) are stored encrypted with AES-256-GCM following a two-tier key model: each file gets its own data encryption key (DEK), wrapped by a key encryption key (KEK) managed in AWS KMS. Certificate passwords are encrypted before being written to the database — not hashed, because they must be used operationally to load certificates.

KEK rotation enforced via AWS KMS. DEKs are re-wrapped on each rotation without exposing file contents.

Authentication with access key (Passkey / WebAuthn)

AlertaCert supports biometric access keys (Face ID, fingerprint, Windows Hello) as a second factor of authentication. Access keys are resistant to phishing by design — they are never transmitted to the server.

Available on all plans. Administrators can require them for all team members.

Re-authentication for sensitive actions

High-risk actions — revealing password, downloading certificate, deleting, signing documents, managing members — require recent re-authentication. If your session is old, you will be asked to confirm your identity before proceeding.

Mitigates the risk of hijacked sessions even with an active session.

Role-based access control

Each organization has administrator and member roles. Members cannot invite users, change roles, delete customers, or cancel signing flows. Administrators control exactly which permissions are sensitive in their organization.

Real-time seat limit applied — no ghost access.

Immutable audit log

Each sensitive action — upload, download, password reveal, signing, deletion, role change — is logged to an audit log. The log has no INSERT, UPDATE, or DELETE policy for any user or administrator: only the service client can append entries. Log entries are hash-chained — each entry includes the hash of the previous one, making silent tampering detectable.

Administrators can filter the full history from Settings → Audit.

Rate limit on sensitive endpoints

Upload, download, signing, and authentication endpoints have rate limits per user. Excessive attempts are blocked before reaching the database.

Security checks always fail closed — rate limits and auth checks are never bypassed due to infrastructure errors.

Row-Level Security across the entire database

Each database table has RLS (Row-Level Security) enabled. One organization's data is inaccessible from another organization's queries, even if the same database instance is used. Service-role keys are stored in secrets management, never in application code, and rotated regularly. Storage file URLs are signed with short-lived expiry windows and served through a server-side proxy — never long-lived or publicly guessable.

Data isolation guaranteed at the database engine level, not just in application code.

Validation of files on upload

Each uploaded file is validated by magic bytes before storage. A file that is not valid DER/PKCS12 or PEM is rejected. No arbitrary files disguised as certificates are ever stored.

Downloads are served through a server-side proxy with Cache-Control: no-store.

Third-party infrastructure

AlertaCert does not operate its own servers. We trust certified infrastructure providers.

DatabaseSupabase (PostgreSQL) — managed infrastructure with automatic backups
StorageSupabase Storage — private buckets, signed access, RLS applied
AuthenticationSupabase Auth — short-lived JWT tokens
Key ManagementAWS KMS — envelope encryption with DEK/KEK separation. Key rotation enforced. No plaintext keys in application config.
PaymentsStripe — AlertaCert never stores card data
MailResend — only notification metadata, no certificate content
TransportHTTPS mandatory on all endpoints. No HTTP exceptions.

What we never do

  • Access your certificate file contents without explicit AWS KMS authorization and a verifiable audit trail. Every decryption event requires deliberate KMS key usage — no background or silent access is architecturally possible.
  • Sell or share certificate data with third parties
  • Store certificate passwords in plain text
  • Transmit certificate files to external services (except to encrypted storage)
  • Use advertising tracking cookies
  • Record file content — only metadata (name, type, expiration)

Did you find a vulnerability or have security questions?

hello@alertacert.com