Security FAQs

Want to learn more about how we handle best practices at Alloy? See our FAQ below. If you still don't see an anwser you're looking for, be sure to contact your support rep.

You can also visit our security page here to learn more.


What is SOC 2?
SOC 2 is a report based on the Auditing Standards Board of the American Institute of Certified Public Accountants' (AICPA) existing Trust Services Criteria (TSC). The purpose of this report is to evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality, and privacy.

What the Alloy SOC 2 Report?
Alloy's annual SOC 2 report tests our controls to ensure we are in continuous compliance with SOC 2 requirements. This means ensuring our systems are secure, safe, and that our personnel follow a set of security best practices.

Are you SOC 2 Type I and II compliant?
Yes!

How can I view the Alloy SOC 2 report?
Contact your account rep to request a copy of the Alloy SOC 2 Report.

Is an NDA required to receive Alloy SOC reports?
Yes, an NDA is required to review the Alloy SOC 2 reports. Please contact us to begin the process.

Where are your data centers located?
Alloy is hosted on the AWS Cloud. Our primary data center is hosted in the US region.

How can I request specific merchant data be deleted in Embedded?
We provide compliance endpoints which are better described in our API reference. These endpoints allow you to search for a specific user and wipe all data from Alloy servers for that account.

Do you have an SLA?
Yes! We have a standard SLA which is available here. If you require a custom SLA, please contact your account rep to discuss options for an additional fee.

How scalable is your infrastructure?
Very scalable. Don't believe us? We count companies as large as Amazon and Burberry among our customers. We've processed billions of API requests through our servers. We invest heavily in infrastructure at Alloy. You can read more about our infrastructure in our SOC 2 Report.

How is data stored at rest?
All data is encrypted at rest using bank-level AES-256 bit encryption. All information is encrypted in tranit with TLS/SSL. We've received a A score from Qualys SSL Labs.

How can I ensure that an outgoing request from Alloy is really coming from Alloy and not being spoofed?
We provide an RSA signature you can reconstruct which is signed against our public key. This allows you to always ensure outgoing requests are coming from Alloy.

Do you support SSO?
Yes! We support Google and Shopify Single Sign On (SSO).

How do you internally audit code at Alloy?
We audit code a number of ways to mitigate the chances that bugs are ever seen in production: every line of code undergoes a peer review, has to pass a battery of automated test cases, manual quality assurance and static code analysis.

Do you undergo penetration tests?
Yes! We regularly undergo routine penetration tests to ensure our ongoing SOC 2 compliance and work to quickly remedy any penetration tests findings.

Did this page help you?