AlphametricsBack to Home

Information Security Policy

Last updated: February 11, 2026 — Version 1.0

Organization: AlphaMetrics Inteligência de Dados e Informática Ltda.
CNPJ: 63.414.435/0001-00
Approved by: Atilio Amaral, CEO & Data Protection Officer
Review cycle: Annual (next review: February 2027)

1. Purpose & Scope

This Information Security Policy establishes the security framework for AlphaMetrics, covering all systems, data, and personnel involved in the operation of our marketplace integration platform. It applies to all employees, contractors, and third-party service providers who access AlphaMetrics systems or data.

The objective is to protect the confidentiality, integrity, and availability of information assets, including client data, marketplace credentials, and internal systems.

2. Information Security Program

AlphaMetrics maintains an information security program that includes:

  • Designated Data Protection Officer (DPO) responsible for overseeing security and privacy compliance.
  • Annual review and update of all security policies and procedures.
  • Continuous monitoring of systems, access logs, and security events.
  • Security awareness practices for all personnel with access to systems.
  • Risk assessments conducted when introducing new systems, integrations, or significant changes.

3. Access Control

We enforce strict access controls based on the principle of least privilege:

  • Authentication: Multi-factor authentication (MFA) is required on all critical systems, including GitHub, Supabase, cloud hosting providers, and administrative panels.
  • Authorization: Access to client data is restricted to authorized personnel only. Role-based access control (RBAC) is enforced at the database level through Supabase Row-Level Security (RLS) policies.
  • Password & credential management: Strong password requirements enforced. API keys, OAuth tokens, and secrets are stored in environment variables or encrypted vaults, never in source code.
  • Session management: User sessions expire after inactivity. OAuth tokens are automatically refreshed and expired tokens are revoked.
  • Access reviews: Access permissions are reviewed whenever team composition changes, and at minimum annually.

4. Data Classification & Encryption

We classify data into the following categories:

  • Confidential: OAuth tokens, API secrets, client credentials, personal data of end-customers (names, addresses, phone numbers).
  • Internal: Client business data (orders, pricing, product listings, profitability reports).
  • Public: Website content, published policies, marketing materials.

Encryption measures:

  • In transit: All communications are encrypted using HTTPS/TLS 1.2 or higher. API calls to marketplaces use HTTPS exclusively. Internal server-to-database communication uses SSL.
  • At rest: Database storage is encrypted using AES-256 (Supabase/AWS managed encryption). Server disk encryption is enabled on our VPS infrastructure.

5. Network Security

Our infrastructure implements network segregation and protection:

  • Firewall: UFW (Uncomplicated Firewall) with a default-deny inbound policy. Only explicitly required ports are open (HTTPS 443, SSH on non-standard port).
  • SSH hardening: Key-based authentication only (password authentication disabled). Root login restricted. Non-standard port configured.
  • IP whitelisting: Marketplace API access is restricted to our whitelisted server IP, preventing unauthorized use of credentials from other locations.
  • DDoS protection: Frontend is served through Vercel's global CDN with built-in DDoS mitigation.

6. Endpoint Security

  • Development workstations run up-to-date operating systems with built-in antivirus/antimalware protection (Windows Defender or equivalent).
  • Automatic security updates are enabled on all endpoints.
  • Screen lock is enforced after periods of inactivity.
  • Full-disk encryption is enabled on development machines.

7. Operational Security Baseline

The following security baseline is enforced for daily operations:

  • MFA enabled on all critical services (GitHub, Supabase, Vercel, Contabo, email).
  • Strong, unique passwords for all accounts (minimum 12 characters).
  • Screen lock after 5 minutes of inactivity on workstations.
  • Clean desk policy — no credentials or sensitive information left visible.
  • Secrets and credentials never stored in source code repositories.
  • .gitignore rules prevent accidental commit of configuration files, tokens, and environment variables.

8. Vulnerability Management

  • Security updates and patches are applied regularly to all server and development environments.
  • Dependencies are reviewed for known vulnerabilities using automated tools (GitHub Dependabot, npm audit).
  • New code is reviewed before deployment to identify potential security issues.
  • Third-party services (Supabase, Vercel) are selected for their strong security track records and certifications (SOC 2, ISO 27001).

9. Incident Response Policy

AlphaMetrics maintains an incident response procedure to ensure timely and effective handling of security incidents.

9.1 Incident Classification

  • Critical: Unauthorized access to client data, credential compromise, data breach affecting personal data.
  • High: System outage affecting multiple clients, suspected intrusion attempt, malware detection.
  • Medium: Single-client service disruption, failed authentication attempts exceeding thresholds.
  • Low: Minor configuration issues, non-critical software bugs.

9.2 Response Procedure

  1. Detection & Reporting: Incidents are reported immediately to the DPO (atilio@alphametrics.com.br). Automated monitoring alerts are configured for critical systems.
  2. Containment: Immediate steps to isolate affected systems, revoke compromised credentials, and prevent further damage. OAuth tokens are revoked and re-issued as needed.
  3. Investigation: Root cause analysis is conducted. Logs are preserved for forensic review. Scope of impact is assessed.
  4. Notification: Affected clients are notified within 48 hours of confirmed incidents involving their data. Marketplace platforms are notified per their requirements. Regulatory authorities (ANPD) are notified as required by the LGPD.
  5. Recovery: Systems are restored from clean backups. Security patches are applied. Access is re-established after verification.
  6. Post-incident review: Lessons learned are documented. Security controls are updated to prevent recurrence.

9.3 Communication Channels

  • Internal: Email and direct communication to the DPO and technical team.
  • Clients: Email notification to affected clients' registered contacts.
  • Marketplace partners: Notification through the platform's designated security contact channels.
  • Regulatory: Notification to ANPD (Brazil's National Data Protection Authority) as required by law.

9.4 Roles & Responsibilities

  • DPO (Atilio Amaral): Overall incident coordination, client and regulatory notification, post-incident review.
  • Technical Team: Detection, containment, investigation, and system recovery.

10. Data Breach Notification

In the event of a personal data breach, AlphaMetrics commits to:

  • Notifying affected clients within 48 hours of confirming the breach.
  • Notifying marketplace partners (TikTok Shop, Mercado Livre, Shopee, etc.) per their respective notification requirements.
  • Reporting to ANPD (Brazilian Data Protection Authority) within the timeframe required by the LGPD when the breach may result in risk or harm to data subjects.
  • Providing a detailed incident report including: nature of the breach, data affected, measures taken, and remediation steps.

11. Business Continuity & Backups

  • Database backups are managed by Supabase with automated daily backups and point-in-time recovery capability.
  • Application code is version-controlled in GitHub with full commit history.
  • Server configuration is documented for rapid redeployment.
  • Frontend is hosted on Vercel with automatic failover and global CDN redundancy.

12. Third-Party Security

We select third-party service providers based on their security posture:

  • Supabase: SOC 2 Type II certified. Manages our PostgreSQL database with encryption, RLS, and automated backups.
  • Vercel: SOC 2 Type II certified. Hosts our frontend with DDoS protection and automatic HTTPS.
  • GitHub: SOC 2 Type II certified. Hosts our source code with branch protection and audit logs.
  • Contabo: ISO 27001-certified data centers in Germany. Hosts our backend application server.

13. Data Deletion & Retention

Upon termination of a client relationship or upon request from a marketplace platform:

  • All client-specific data (orders, products, tokens, reports) is deleted within 30 days.
  • OAuth tokens are immediately revoked and deleted.
  • Backup retention follows the standard cycle (up to 30 days) after which deleted data is permanently purged.
  • Data required for legal compliance (e.g., tax records) is retained for the legally mandated period, with restricted access.

14. Policy Review & Updates

This policy is reviewed and updated at least annually, or whenever significant changes occur in our infrastructure, services, or applicable regulations. All updates are approved by the DPO and documented with version history.

15. Contact

For questions about this security policy or to report a security concern:

Data Protection Officer: Atilio Amaral
Email: atilio@alphametrics.com.br

AlphaMetrics Inteligência de Dados e Informática Ltda.
CNPJ: 63.414.435/0001-00
Al. Rio Negro, 503, Sala 2011
Alphaville, Barueri – SP, 06454-000, Brazil