Security | Alloy

Trust

Security at every layer.

Authentication, encryption, compute isolation, and audit logging are built into every layer. Merchant data is never shared, exposed, or accessible beyond its owner.

Encryption

AES-256-GCM encryption for all data at rest. Per-tenant encryption keys derived from secrets managed in Google Secret Manager. TLS 1.3 for all data in transit. OAuth tokens encrypted before storage and never persisted in plaintext.

Encryption Matrix4 layers

layercipherdetailData at restAES-256-GCMPer-tenant key derivationData in transitTLS 1.3Certificate pinningOAuth tokensAES-256-GCMEncrypted before storageSecretsGCP Secret MgrVersioned, rotated

0 plaintext secretsall encrypted

JWT Validationreq_a8f2c1

+algorithmHS256valid

+audiencepod-acme-001matched

+issueralloy-authverified

+expiry300s TTLactive

+signaturehmac-sha256passed

5/5 checks passedtoken accepted · 2ms

Authentication

Short-lived HS256 JWT tokens, signed per-request and audience-scoped to the pod ID. Every API call is validated against the token's audience, expiration, and issuer before any data is returned. Tokens are never reused across tenants.

Tenant Isolation

Complete process isolation via Cloud Run. Memory, CPU, and network boundaries enforced at the runtime level. Zero shared resources. Zero cross-tenant queries. Each merchant gets their own Cloud SQL instance, Cloud Run service, and Cloud Storage bucket.

Tenant Resourcesacme-corp

resourceinstancestatusDatabasesql-acme-001● dedicatedComputerun-acme-001● isolatedStoragegcs-acme-001● dedicatedSecretssm-acme-001● scopedNetworkvpc-acme-001● bounded

0 shared resources0 cross-tenant queriesfully isolated

Permissions — Fluxacme-corp

permissionadmineditorviewersnapshot:create✓✓—release:deploy✓——release:approve✓✓—release:rollback✓——audit:read✓✓✓member:manage✓——

30+ permission keystenant-scoped

Built with enterprise in mind

Every Alloy solution ships with role-based access control, granular permissions, and full audit trails. Your team gets the governance controls enterprise Shopify demands from day one.

Penetration Testing

Annual, CREST-accredited

SOC 2 Type II

In progress

Audit Trail

Every lifecycle event logged

Data Encryption

AES-256-GCM at rest

Questions about our security posture?

Talk to Sales Request Security Questionnaire