🚀 We're in beta — apply for free access while we onboard founding customers.Apply now →
Aclamos
Sign inStart free

Security

How we protect your awards program, your sponsors, and your voters.

Encryption

  • · TLS 1.2+ enforced (HSTS preload).
  • · AES-256 at rest for Postgres + S3-compatible object storage.
  • · AES-256-GCM application-layer encryption for OAuth tokens, TOTP secrets, etc.
  • · Argon2id for passwords (memoryCost 19 MiB).
  • · Open Badges 3.0 winner credentials signed with Ed25519.

Authentication

  • · Email + password, Google OAuth, SMTP2GO-delivered magic-link.
  • · TOTP 2FA (RFC 6238) with single-use recovery codes.
  • · SAML SSO planned for Studio + Enterprise (capability in schema; UI in progress).
  • · Session JWTs, ±5 min clock skew tolerance.

Data isolation

  • · Every query traverses Organization → Show → Nomination ownership.
  • · Capability-based RBAC enforced server-side; UI hides controls but server is the source of truth.
  • · Per-org S3 storage key prefixes (org/{orgId}/...) for blast-radius isolation.

Application security

  • · Strict Content-Security-Policy with frame-ancestors 'none' (relaxed only for /embed/*).
  • · Stripe webhook signatures verified on every event.
  • · Outbound webhook deliveries signed with HMAC-SHA256.
  • · Rate limits on every public endpoint (Redis-backed).
  • · Honeypots + minimum-time-on-page checks on Ballotis polls.

Operations

  • · Daily encrypted Postgres snapshots (Railway-managed). RPO 24h target, RTO 4h target.
  • · Append-only audit log; admin-side viewer at /[org]/audit.
  • · Pino structured logs with PII redaction.
  • · Secrets via Railway env; never committed to git.
  • · Single-region today (US-East). Multi-region active deployments are roadmap.

Compliance

  • · SOC 2 Type II audit engagement is queued (Drata / Vanta-class).
  • · GDPR + UK GDPR + CCPA/CPRA — DPA at /dpa, sub-processor list at /subprocessors.
  • · Open Badges 3.0 / W3C Verifiable Credentials with Ed25519 signing for winner badges.
  • · EU-US Data Privacy Framework: not enrolled (US transfers via SCCs).

Vote integrity (Ballotis)

  • · Email magic-link verify, SMS OTP, IP/email/phone/device caps, ISO-country geofencing, CAPTCHA.
  • · ML fraud signals: velocity bursts, coordinated patterns, disposable-email, headless-browser, repeat-offender.
  • · Optional verifiable mode: per-voter receipts, tamper-evident hash chain, public verification page (/verify/{pollId}).
  • · Append-only vote records with supersede semantics for change-vote (where allowed by preset).

Reporting a vulnerability

Found something? Email security@aclamos.app (PGP key on request) or use the in-app feedback widget with kind = "Security." We acknowledge reports within 1 business day and aim to triage within 5. Coordinated disclosure timeline: 90 days standard, accelerated for critical issues.

Looking for a SOC 2 Type II report or signed DPA? Email trust@aclamos.app. Engineering details for technical reviewers: see /dpa and /privacy.

Security · Aclamos