Security and Governance

Built for Operational Trust

Alecto Core is built for teams that need explainable decisions, auditable workflows, and practical controls around access, billing, and moderation operations.

Infrastructure and Data Region

  • Primary deployment posture is EU/UK infrastructure.
  • API and dashboard access are TLS-protected.
  • Health and deployment runbooks are maintained internally.

Access Controls

  • API key authentication via bearer or X-API-Key header.
  • Dashboard auth supports verification and optional MFA.
  • Organisation roles gate write actions by responsibility.

Auditability

  • Moderation responses include stable request_id values.
  • Request logs and usage analytics are available in the dashboard.
  • Hosted review activity and webhook delivery attempts are trackable when that workflow is enabled.

Billing Safety Controls

  • Overage billing is opt-in and off by default.
  • Usage threshold alerts are available for quota visibility.
  • Administrative controls support checkout policy management.

Data Retention (Default)

  • Hosted review queue entries expire automatically after queue TTL (default 7 days) when the hosted queue is enabled.
  • Webhook delivery attempt logs are stored for operational debugging.
  • Request logs and usage telemetry are retained for billing, support, and abuse control.

Webhook Security

  • Outbound webhook retries use exponential backoff (up to 4 attempts).
  • If webhook signing is enabled, deliveries include X-Alecto-Timestamp and X-Alecto-Signature.
  • Recommended validation: verify HMAC signature and reject stale timestamps.
Hosted review is optional and off by default. Customers can keep review inside Alecto Core, route it into their own systems by webhook, or handle action: review entirely in their own applications. For legal terms and policy details, see Privacy, Terms, and the Versioning Policy. For enterprise requirements, use Enterprise Contact.