Security & Data Handling
Last updated: March 2026
Alembic processes sensitive documents — contracts, agreements, financial records. We take that responsibility seriously. This page explains exactly how your data is protected, and where we're honest about what we don't yet offer.
Data in Transit
All connections to Alembic use HTTPS (TLS encryption). This includes browser sessions, API calls, and all communication between our services. Documents sent to Anthropic's API for processing are also transmitted over HTTPS.
Data at Rest
- Database — Neon Postgres with encryption at rest. Stores account data, extracted fields, and metadata.
- File storage — Vercel Blob with encryption at rest. Stores uploaded document files.
AI Processing
Documents are processed using Anthropic's Claude API or OpenAI's API, depending on your space's model configuration. Key facts:
- Neither Anthropic nor OpenAI use API data for model training
- Document content is not retained by either provider beyond the processing window
- All API communication is encrypted via HTTPS
- We do not use your documents to train any models — ours or anyone else's
Authentication & Access
- Passwords — hashed with scrypt (via BetterAuth), never stored in plaintext
- API keys — hashed with Argon2, stored only as hashes. Raw keys are shown once at creation and never retrievable again
- Sessions — managed by BetterAuth with secure, HTTP-only cookies
- Google OAuth — available as an alternative sign-in method
- Webhooks — all outbound deliveries are signed with HMAC-SHA256 (
X-Alembic-Signatureheader). Verify signatures server-side to authenticate payload authenticity - Organization isolation — all data is scoped to your organization. Users in one org cannot access another org's data.
Subprocessors
These are the third-party services that handle your data:
- Anthropic — AI document processing (US)
- OpenAI — AI document processing, when GPT models are selected (US)
- Vercel — application hosting and file storage (US)
- Neon — managed Postgres database (US)
- Stripe — payment processing (US)
- Resend — transactional email (US)
Data Deletion
You are in control of your data:
- Delete individual documents from any space
- Delete entire spaces and all their data
- Delete your account from Settings — all data is permanently removed
- Request deletion via email: james@alembictransform.com
What We Don't Have Yet
We believe in being upfront. The following are not yet available but are on our roadmap for enterprise customers:
- SOC 2 Type II certification
- HIPAA compliance
- Single-tenant deployment
- On-premise / self-hosted option
- Custom data residency (currently US-only)
If any of these are requirements for your organization, get in touch — we'd like to understand your needs.
Report a Vulnerability
If you discover a security vulnerability, please report it to james@alembictransform.com. We take all reports seriously and will respond promptly.