Security & Compliance
The organizations that rely on ALIS serve some of the most vulnerable people in our communities. We take that responsibility seriously — and we've built security into every layer of the platform.
Security-by-Design
Security isn't a feature we added — it's a principle we designed around. Here's what that means in practice.
All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Whether data is being submitted, stored, or retrieved, it is always protected.
Each ALIS client runs on its own dedicated server — not a shared multi-tenant cloud environment. Your data is logically and physically isolated from every other organization. Prefer to host on your own infrastructure? ALIS can be deployed on your existing server as well.
Access to case records is controlled at the role, user, and field level. No user can access data outside their defined permissions — ever. Principle of least privilege enforced throughout.
ALIS supports Microsoft Entra ID single sign-on out of the box. Staff authenticate with their existing Microsoft 365 credentials — no separate password, no extra friction, and full compliance with your organization's identity policies.
Every action taken in the system is logged — who accessed it, what they did, and when. Logs are append-only and cannot be deleted or modified, even by administrators.
Your organization owns its data entirely. We do not monetize, analyze, share, or use your clients' data in any way. You can export a full copy of your data at any time.
Automated daily backups with offsite storage. Documented recovery procedures tested regularly. Your data is never at risk of permanent loss.
Automatic session timeout after configurable inactivity period. Secure logout invalidates server-side sessions immediately. Concurrent session controls available.
Application security patches are applied promptly and included in all plans. Server-level security maintenance is included with hosted plans.
Security Posture
Security considerations are incorporated from the first line of code — not bolted on afterward. Input validation, output encoding, and injection prevention are built in throughout.
No analytics trackers, advertising pixels, or behavioral profiling scripts. Your users' data stays in your system — it never flows to Google, Meta, or any other third party.
ALIS only collects what your organization configures it to collect. No shadow fields, no hidden data collection, no retention of data beyond your configured policies.
Dependencies are regularly scanned for known security vulnerabilities. Security patches are prioritized and deployed promptly. We maintain a responsible disclosure policy for security researchers.
ALIS supports configurable data retention policies — including archiving and deletion workflows — that can be implemented to align with your legal obligations and organizational policies.
Export your complete data set at any time in standard formats. If you ever leave ALIS, your data leaves with you — we don't hold it hostage or make export unnecessarily difficult.
Need to share security details with your IT director, legal counsel, or board? Contact us and we'll put together a security overview covering our data processing practices, encryption standards, and compliance posture.
Request Security Documentation