Overview

This page explains how Alira protects your data and the data your clients trust you with. In short:

·      The core customer database is hosted in Sydney, Australia.

·      Some data is processed outside Australia by our AI, integration and payment providers (see Sub-processors).

·      Data is encrypted in transit and at rest.

·      We do not use customer data to train AI models unless you expressly agree otherwise in writing.

·      You retain ownership of all data you input into Alira.

Hosting and data residency

Alira’s core customer database, file storage and authentication run on Supabase, hosted in the Sydney region (ap-southeast-2) on AWS infrastructure. Some User Data may be processed, transmitted or stored outside Australia by us or our third-party providers where required to provide AI processing, integrations, billing, support or security (see Sub-processors below).

Encryption

·      In transit: TLS 1.2 or higher (HTTPS) on all connections.

·      At rest: AES-256 encryption managed by Supabase and AWS for databases and file storage.

AI processing

Alira uses Anthropic’s Claude models via Anthropic’s paid API to generate AI outputs, and OpenAI’s API to generate embeddings used for memory and intent search. Under Anthropic’s paid-API terms, inputs and outputs are not used to train Anthropic’s models and are not shared with other customers. Under OpenAI’s standard API terms, inputs are not used to train OpenAI’s models. Both providers process data in the United States.

We do not use customer data to train AI models, and will not do so unless you expressly agree otherwise in writing.

OAuth and integrations

OAuth connections to third-party services (CRMs, email, calendar, workspace tools) are managed by Pipedream (SOC 2 Type II, ISO 27001, HIPAA, GDPR compliant). We request only the scopes required for the integration you enable. Tokens are stored securely.

Access controls and backups

·      Customers authenticate via Supabase Auth.

·      Data is segmented by organisation and by user. Access controls are enforced at the application and database layer to prevent cross-tenant access.

·      Internal Alira access to production data is limited to a small number of authorised personnel on a least-privilege basis, used only to operate the service, support customers and resolve incidents. All access is logged.

·      Supabase performs automated daily backups with point-in-time recovery, encrypted and stored in the Sydney region.

Sub-processors

·      Supabase (on AWS) — Database, file storage, authentication. Sydney, Australia (ap-southeast-2). SOC 2 Type II; AWS ISO 27001, SOC 1/2/3.

·      Anthropic — AI model processing (Claude). United States. SOC 2 Type II.

·      OpenAI — Embeddings for memory and intent search. United States. SOC 2 Type II.

·      Vercel — Application hosting and backend processing. Global (edge). SOC 2 Type II, ISO 27001.

·      Pipedream — OAuth and third-party integrations. United States. SOC 2 Type II, ISO 27001, HIPAA, GDPR.

·      Firecrawl — Web search and content retrieval. United States.

·      Stripe — Payment processing and billing. United States. PCI DSS Level 1, SOC 1/2.

Customer-connected third-party services (CRMs, email, calendar, workspace tools connected by you via Pipedream) are treated as Connected Accounts, not core operational providers. Material changes to sub-processors are reflected in our Privacy Policy.

Breach notification

If we become aware of a breach likely to result in serious harm to affected individuals, we will investigate and contain it promptly, notify affected customers without unreasonable delay, and notify the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme.

Account deletion

You can cancel your subscription at any time. Account-level data is deleted or de-identified within 90 days of cancellation, except where retention is required by law (financial records, generally seven years). You can request deletion of specific records at any time via hello@usealira.ai.

Your responsibilities

Security is shared. Use a strong, unique password, don’t share credentials, only invite team members who need access, remove access promptly when team members leave your agency, and avoid inputting information you are not authorised to disclose.

Relationship to our Terms

This Data & Security page should be read together with our Terms and Conditions and Privacy Policy, which govern your use of Alira. If there is any inconsistency between this page and the Terms and Conditions, the Terms and Conditions prevail to the extent of the inconsistency.

Contact

All enquiries: hello@usealira.ai