Security overview

Security is fundamental to Alpacon’s design and operation. We implement industry-standard security practices to protect your servers, data, and infrastructure.

Our security commitment

Alpacon is built with security at its core. We continuously work to ensure that your infrastructure remains protected through multiple layers of security controls, regular assessments, and adherence to industry best practices.

Key security features

Data encryption

• In-transit encryption: All data transmitted between your browser, Alpacon services, and your servers is encrypted using TLS 1.2 or higher
• At-rest encryption: Sensitive data stored in our systems is encrypted using AES-256 encryption
• Gateway-based security: Websh protocol (proprietary, built on HTTPS/WSS) routes all connections through Alpacon Gateway, enabling comprehensive audit logging and session recording for compliance while maintaining encryption in transit

Authentication & access control

• Enterprise authentication: Powered by Auth0 (Okta) with SOC 2 Type II, ISO 27001, and PCI DSS certifications
• Multi-factor authentication (MFA): Optional MFA support for enhanced account security
• Role-based access control (RBAC): Granular permission system to control access to servers and features
• Session management: Secure session handling with automatic timeout and session invalidation
• Centralized authentication: All authentication handled through Alpacon platform, eliminating the need for managing individual SSH keys per server

Network security

• Agent-based architecture: Alpamon agents initiate outbound connections only, eliminating the need to expose server ports
• IP allowlisting: Configure allowed IP ranges for enhanced access control
• Network isolation: Workspace-level network isolation ensures data separation between organizations

Audit & monitoring

• Activity logging: Comprehensive logging of all user actions and system events
• Session recording: Optional terminal session recording for compliance and auditing
• Real-time alerts: Configurable alerts for suspicious activities and security events
• Audit trail: Immutable audit logs for compliance and forensic analysis

Security assessments

Penetration testing

We conduct regular third-party penetration testing to identify and address potential vulnerabilities:

• Annual penetration tests by certified security professionals
• Continuous vulnerability scanning of our infrastructure
• Responsible disclosure program for security researchers

Security audits

Alpacon undergoes periodic security audits to ensure compliance with security best practices:

• Regular internal security reviews
• Third-party security assessments
• Code security reviews and static analysis

Compliance readiness

While Alpacon does not currently hold formal security certifications, we follow industry-standard frameworks and best practices:

• SOC 2 framework: We align with SOC 2 Type II security principles and are preparing for certification
• GDPR compliance: Data handling practices designed to support GDPR requirements
• ISO 27001 alignment: Security controls aligned with ISO 27001 standards

Note: We are actively working toward obtaining SOC 2 Type II and other industry certifications. Updates on our certification status will be announced as they become available.

Data privacy

Data collection & usage

• Minimal data collection: We collect only the data necessary to provide our services
• Data residency: Choose your preferred data region during workspace creation
• Data retention: Configurable data retention policies to meet your compliance requirements
• No data sharing: We never sell or share your data with third parties

User rights

• Data access: Request access to your data at any time
• Data deletion: Request deletion of your data in accordance with our retention policies
• Data portability: Export your data in standard formats

Supply chain security

Dependency management

We implement comprehensive supply chain security measures to protect against vulnerabilities in third-party dependencies:

• GitHub Dependabot: Automated dependency scanning and security updates for all repositories
• Static Application Security Testing (SAST): Continuous scanning for security vulnerabilities and code quality issues
• Software Composition Analysis (SCA): Scanning open-source components for known vulnerabilities
• License compliance: Regular audits of open-source licenses to ensure compliance
• Dependency pinning: All production dependencies use exact version pinning to prevent unexpected changes

Security scanning

• Container security: All Docker images are scanned for vulnerabilities before deployment
• Infrastructure as Code (IaC): Security scanning of Terraform and configuration files
• Secret detection: Automated scanning to prevent accidental credential exposure
• Software Bill of Materials (SBOM): Maintained inventory of all software components and their versions

Third-party vendor security

• Vendor assessment: Security evaluation of all critical third-party services
• Service provider audits: Regular review of security certifications (SOC 2, ISO 27001) for key vendors
• API security: All third-party API integrations undergo security review
• Data processing agreements: Formal agreements ensuring security standards with all data processors

Security best practices for users

To maintain the highest level of security, we recommend:

1. Enable MFA on all user accounts, especially for administrators
2. Use strong passwords and rotate them regularly
3. Implement least privilege access through IAM roles and groups
4. Review audit logs regularly to detect unusual activity
5. Keep Alpamon agents updated to the latest version
6. Configure IP allowlisting for sensitive environments
7. Enable session recording for compliance-critical operations

Security monitoring

• 24/7 monitoring: Real-time surveillance of security events
• Automated alerts: Immediate detection and notification of suspicious activity
• Threat intelligence: Security updates based on latest threat information
• Regular reviews: Analysis of security logs and audit trails

Vulnerability disclosure

If you discover a security vulnerability in Alpacon, please report it responsibly:

• Email: security@alpacax.com
• We aim to respond to security reports within 48 hours
• Please allow us time to address the issue before public disclosure

Security resources

• IAM & access control - Detailed information on user permissions and access management
• Monitoring & audit logs - Setting up security monitoring and logging
• Best practices: security - Comprehensive security configuration guide

Contact

For security-related inquiries or to request our security documentation:

• Email: security@alpacax.com
• General support: support@alpacax.com

Last updated: November 2025