Changelog

Security

Arjun
Written by
Arjun, founder of Almox

A short overview of how Almox handles data security.

Authentication

Sign-in is by email and password, or by single-use magic link for clients who prefer not to manage a password. Sessions are issued as HTTP-only cookies, which means JavaScript on the page can't read them, protection against common cross-site scripting attacks.

Passwords are hashed with a slow, salted algorithm (bcrypt-class). Almox never stores plaintext passwords or sees them after you set them.

Data in transit

All traffic between your browser and Almox is encrypted with TLS. The same applies to your portal at {yourname}.almox.ai or your custom domain, TLS is automatic and managed for you.

Webhooks and outbound calls (to your payment provider, your SMTP server, your AI provider) also run over TLS.

Data at rest

Stored data lives in encrypted databases on managed infrastructure. File uploads are stored in encrypted object storage. Backups are encrypted as well.

Tenant isolation

Each workspace's data is isolated at the database query level, even with millions of clients across all workspaces, queries are always scoped to the requesting workspace. There's no UI that shows another workspace's data, regardless of role.

Client access

A client only sees content explicitly shared with them. There's no "see all my agency's stuff if I find the right URL", every shareable resource is gated by membership or by a token that's specific to that client and that resource.

For token-gated public links (invoice payment pages, contract signing pages), tokens are long random strings that can't be guessed. The token is also tied to the specific resource, so a token for invoice A can't be reused to access invoice B.

What you can do on your side

  • Use a strong, unique password and a password manager
  • Enable 2FA on your account if available
  • Be careful who you make an admin (admins have full workspace access)
  • Audit your Clients and Team lists periodically and remove inactive members

Reporting a security issue

If you think you've found a security issue, please contact us privately rather than posting publicly. See Contact us.

Reach out to our sales team

Tell us about your team, we'll come back with whether Almox fits and which tier makes sense.