Security FAQ
Frequently asked questions about Alpacon’s security features and practices.
General security
Is Alpacon secure enough for production environments?
Yes. Alpacon is designed with enterprise-grade security for production use:
- Military-grade encryption (AES-256, TLS 1.3)
- No inbound ports required on your servers
- Regular security audits by third-party professionals
- 24/7 security monitoring and incident response
- Used by companies managing mission-critical infrastructure
How does Alpacon compare to traditional SSH security?
Alpacon is more secure than traditional SSH in several ways:
| Feature | Traditional SSH | Alpacon (Websh Protocol) |
|---|---|---|
| Exposed ports | Port 22 exposed to internet | No exposed ports |
| Attack surface | Direct server access | Zero-trust agent-based |
| Access control | SSH keys per server | Centralized IAM |
| Command logging | Limited or none | Complete audit trail |
| Real-time monitoring | Not possible | Gateway inspects all traffic |
| Policy enforcement | Not possible | Block commands, require approvals |
| MFA support | Requires PAM configuration | Built-in MFA |
| Session recording | Requires additional tools | Optional built-in |
| Compliance | Difficult (no audit trail) | Built for SOC 2, HIPAA, PCI-DSS |
What happens if Alpacon’s platform goes down?
Short answer: Your servers continue running normally. You lose remote access temporarily via Alpacon, but can use emergency SSH access if configured.
Details:
- Agent behavior: Alpamon agent enters retry mode with exponential backoff
- Server impact: Zero impact on server operations or applications
- Reconnection: Automatic reconnection when service resumes
- Uptime SLA: 99.9% availability guarantee (Enterprise)
- Emergency access: Configure emergency SSH access as backup
Can Alpacon access my server data?
Server files: No. Terminal commands: Yes, by design for security and compliance.
- No file access: We don’t read, store, or analyze files on your servers
- Gateway visibility: Our gateway can see and log terminal commands for audit trails and compliance
- Why this is more secure:
- Complete audit trail of all commands executed
- Real-time monitoring for suspicious activity
- Session recording for compliance (SOC 2, HIPAA, PCI-DSS)
- Ability to block dangerous commands
- Meets regulatory requirements that mandate audit logging
- Encrypted transit: All data is encrypted using TLS 1.3 while in transit
- Your control: You decide what to record and retention periods
Authentication & access
Is multi-factor authentication (MFA) really necessary?
Strongly recommended, especially for:
- Production environments
- Servers with sensitive data
- Administrative/superuser accounts
- Compliance requirements (SOC 2, HIPAA, etc.)
Even strong passwords can be compromised through phishing, keyloggers, or database breaches. MFA adds a critical second layer of defense.
Does Alpacon handle authentication itself or use a third-party service?
Alpacon uses Auth0 (by Okta) for authentication:
Why this is more secure:
- Industry leader: Auth0 is trusted by thousands of enterprises worldwide
- Certified: SOC 2 Type II, ISO 27001, and PCI DSS certified
- Specialized: Authentication is complex—using a dedicated service is more secure than building in-house
- Continuously updated: Immediate protection against newly discovered vulnerabilities
- High availability: 99.99% uptime SLA with global redundancy
What Alpacon controls:
- Auth0 handles authentication (who you are)
- Alpacon controls authorization (what you can access)
- All server access policies, IAM roles, and permissions are managed by Alpacon
Transparency: We believe in being transparent about our infrastructure. Using Auth0 demonstrates our commitment to security best practices rather than attempting to build authentication from scratch.
Can I use my company’s SSO (single sign-on)?
Yes, with the Enterprise plan:
- SAML 2.0: Azure AD, Okta, OneLogin, Google Workspace
- OAuth 2.0: Google, Microsoft, GitHub, custom providers
- Just-in-time provisioning: Automatic user creation
- Group sync: Map IdP groups to Alpacon user groups
- Centralized management: Manage users in your IdP
What happens if a user leaves the company?
Best practices:
- Immediate: Revoke access in your IdP (if using SSO) or Alpacon
- Audit: Review access logs for the user’s activity
- Keys: Rotate any API keys or tokens the user had access to
- Sessions: Terminate all active sessions
- Review: Check if user shared credentials with others
Alpacon features:
- Instant revocation: Access removed immediately upon user deletion
- Session termination: All active sessions automatically closed
- Audit trail: Complete history of user’s actions retained
- Group membership: Removal from groups cascades to server access
Network & infrastructure
Do I need to expose any ports on my servers?
No. This is one of Alpacon’s key security advantages:
- No inbound ports: Servers don’t accept any incoming connections for Alpacon
- Outbound only: Alpamon agent initiates outbound HTTPS/WSS connections
- Firewall friendly: Works with restrictive firewall policies
- No port forwarding: No need to configure port forwarding or NAT
Required: Outbound HTTPS (443) from servers to Alpacon platform
Can Alpacon work behind a corporate firewall/proxy?
Yes. Alpacon is designed for enterprise networks:
- HTTP/HTTPS proxy support: Standard proxy with authentication
- SOCKS proxy support: SOCKS4/SOCKS5 proxy support
- PAC support: Proxy Auto-Config files
- Minimal whitelist: Only needs
<workspace>.<region>.alpacon.io
See Network security documentation for configuration details.
Is VPN still needed with Alpacon?
Usually no. Alpacon provides secure access without VPN:
VPN provides:
- Network-level access to internal resources
- Works with legacy systems requiring network visibility
Alpacon provides:
- Secure server access without VPN overhead
- Better performance (no VPN latency)
- Granular per-server access control
- Complete audit trail
Recommendation: Most companies can eliminate VPN for server access. Keep VPN only if you have specific network requirements (e.g., legacy systems, file shares).
Data & privacy
Where is my data stored?
Data is stored in the following locations:
| Region | Location | Data Center | Status |
|---|---|---|---|
| AP1 | Asia-Pacific (Seoul) | AWS Seoul Region | Active |
| US1 | United States (Virginia) | AWS US-East-1 | Coming Soon |
Backup system:
- All data is backed up to a secondary system hosted by iNETHosting for disaster recovery
Key points:
- Data is primarily stored in your selected region
- Automatic backups to secondary location for redundancy
- No cross-region data transfer except for backups
- Complies with regional data sovereignty requirements
What data does Alpacon collect?
We collect only essential data:
Always collected:
- User authentication data (email, hashed password, MFA secrets)
- Server metadata (name, IP, platform, agent version)
- Connection logs (who connected to which server, when)
- Audit events (permission changes, user actions)
- Terminal session recordings (retention period varies by plan)
Never collected:
- Server files or application data
- Data from your servers
- Application logs or metrics (unless you forward them)
- Personal data beyond account information
Session recording retention by plan:
- Free plan: Session history not available
- Essentials plan: 1 year
- Enterprise plan: 5 years
Can I export my data?
🚧 Coming Soon - Data export functionality is currently in development
We are building comprehensive data export features to ensure full data portability:
Planned export capabilities:
- Workspace configuration: Export all workspace settings and configurations
- Audit logs: Export complete audit trail in CSV or JSON format
- Server metadata: Export server list and configurations
- User data: Export user accounts and permission settings
- Session recordings: Export terminal session recordings (subject to retention policy)
Export formats:
- JSON for structured data
- CSV for tabular data (audit logs, user lists)
- Video format for session recordings
Access methods (when available):
- CLI commands
- Web interface
- API endpoints
Timeline: Data export functionality is actively being developed. Contact support@alpacax.com if you need specific data export capabilities for compliance or migration purposes.
What happens to my data if I delete my account?
Account deletion process:
-
Immediate (Day 0):
- Account access revoked immediately
- All active sessions terminated
- Data enters “soft delete” state
-
Grace period (Days 1-30):
- Data retained for potential recovery
- Contact support to restore account
- No access to workspace during this period
-
Permanent deletion (After Day 30):
- All personal data permanently deleted
- Workspace data anonymized or deleted
- Audit logs anonymized and retained per compliance policy
Right to erasure: Contact privacy@alpacax.com for immediate deletion requests.
Compliance & certifications
Is Alpacon SOC 2 compliant?
We are currently working toward SOC 2 Type II certification:
- Current status: Implementing SOC 2 controls and policies
- Expected timeline: Certification process in progress
- Interim measures: Following SOC 2 Type II security principles
- Updates: Certification status will be announced when available
See Security overview for current security practices.
Is Alpacon GDPR compliant?
Yes, we comply with GDPR requirements:
- Data processing Agreement (DPA): Available upon request
- Data transfers: Standard Contractual Clauses (SCCs) for international data transfers
- User rights: Full support for GDPR user rights (access, rectification, erasure, portability)
- Privacy by design: GDPR principles embedded in product development
- Data controllers: You remain the data controller for your workspace data
Note: Currently, data is hosted in AWS Seoul Region (AP1). For EU customers requiring data residency in the EU, please contact us to discuss your specific requirements.
Can Alpacon be used for HIPAA-compliant systems?
Yes, with proper configuration (Enterprise plan):
- Infrastructure: Designed with healthcare requirements in mind
- BAA available: Business Associate Agreement available for Enterprise customers
- Encryption: End-to-end encryption meets HIPAA standards
- Audit logs: Comprehensive audit trail for compliance
- Access controls: Granular access control and MFA support
Note: Alpacon itself is not a HIPAA-covered entity. You must configure appropriate controls and sign a BAA.
Incident response
How do I report a security vulnerability?
Responsible disclosure:
- Email: security@alpacax.com
- Include: Detailed description, steps to reproduce, impact assessment
- Response time: We aim to respond within 48 hours
- Disclosure: Please allow us time to fix before public disclosure
See Vulnerability disclosure policy for details.
What happens if there’s a security breach?
Incident response process:
- Detection (< 1 hour): Automated monitoring detects incident
- Containment (< 4 hours): Isolate affected systems
- Investigation (< 24 hours): Determine scope and impact
- Notification (< 72 hours): Notify affected customers per GDPR
- Remediation: Fix vulnerability and restore service
- Post-mortem: Publish incident report (when appropriate)
Customer actions:
- Monitor email for security notifications
- Review audit logs for suspicious activity
- Rotate credentials if advised
- Implement additional security measures if recommended
Best practices
How often should I review user access?
Recommended schedule:
- Monthly: Review new users and recent access changes
- Quarterly: Full access audit for all users and groups
- After events: After employee departures or role changes
- Annually: Comprehensive security review
Use Alpacon’s audit tools:
# List all users and their roles
alpacon users list --show-roles
# Show users with superuser access
alpacon users list --role superuser
# Review recent permission changes
alpacon audit report --type permission-changes --period 90dShould I enable session recording?
Consider enabling for:
- Compliance requirements (SOC 2, HIPAA, PCI-DSS)
- High-security environments
- Training and troubleshooting
- Forensic analysis capabilities
Consider disabling for:
- Development environments
- Privacy concerns
- Storage cost optimization
- Performance-sensitive operations
Recommendation: Enable selectively for production servers or compliance-critical systems.
What’s the recommended MFA method?
Most secure to least secure:
-
Hardware security keys (FIDO2/WebAuthn)
- YubiKey, Titan Key, and other FIDO2 devices supported
- Phishing-resistant and tamper-proof
- Most secure option
- Best for high-value accounts and administrators
-
Biometric authentication
- TouchID, FaceID, Windows Hello
- Convenient and secure
- Hardware-backed security
- Good balance of security and usability
-
TOTP authenticator apps (Google Authenticator, Authy, 1Password)
- Strong security
- Works offline
- Widely supported
- Recommended minimum for all users
-
Email-based OTP
- Convenient for users without other devices
- Less secure than above methods
- Use only as backup method
-
SMS-based OTP
- Better than no MFA
- Vulnerable to SIM swapping
- Use only as backup method
-
Recovery codes
- One-time use backup codes
- Essential safety net for all MFA methods
- Store securely and keep accessible
- Regenerate after use or if compromised
Recommendation:
- Administrators/privileged accounts: Hardware keys or biometric authentication
- Regular users: TOTP apps as minimum
- Everyone: Save recovery codes in a secure location (password manager or safe)
Getting help
Where can I find more security documentation?
- Security overview - Overall security approach
- Data security - Data protection measures
- Authentication & Access Control - IAM and authentication
- Network security - Network architecture and security
- Infrastructure setup - Security configuration guide
How do I contact the security team?
- Security issues: security@alpacax.com
- Vulnerability reports: security@alpacax.com
- Privacy questions: privacy@alpacax.com
- General support: support@alpacax.com
Last updated: November 2025