Security at AllStak

What we do, what we don't, and how to reach us if you find something.

Where your data lives

  • Telemetry from Saudi Arabia and the wider region enters through our edge relay in Riyadh, so ingestion stays fast and close to your users.
  • The relay does not keep your data. It checks your API key, strips out secrets, and securely forwards everything to our core platform in Germany (EU), where your data is processed and stored.
  • In short: a Saudi entry point, with processing and long-term storage in Germany. If you need your data to stay inside the Kingdom, talk to us before signing up — that isn't what we offer today.
  • Encrypted in transit and at rest. The outside services we rely on, and how data moves between them, are listed in our Data Processing Addendum.

Your data is walled off from other customers

Every request is checked so that one customer can never reach another customer's data. That check lives at the core of the system — it isn't a fix bolted on afterwards — and an automated test blocks any update that would accidentally weaken it.

Safe sign-in

  • Your sign-in is kept in a cookie that website scripts can't read, and only travels over a secure (HTTPS) connection.
  • It renews automatically in the background, and your session is tied to the workspace you're actually using — not left open everywhere at once.
  • Signing in with Google always shows the account picker, so you don't get logged into the wrong account by accident.

The secrets you save stay secret

  • API keys and other secrets you enter are encrypted before they're saved.
  • We never show a saved secret back to you — only a note that one is set. Saving a new one replaces the old.

We remove sensitive data automatically

Before we store anything your apps send us, we automatically strip out values that look like secrets — passwords, one-time codes, API keys, card numbers, bank (IBAN) numbers, national IDs, and similar — so they never reach our storage in the first place. The full list is in our Privacy Policy.

Strict privacy mode

You can switch your workspace to strict privacy mode. In strict mode we keep only the country of your end-users — the city and finer location are dropped on the way in and never stored.

Built-in browser protections

Our pages tell the browser to stop other sites from embedding us, to not leak the page address to third parties, and to turn off camera, microphone, location, and payment access by default.

Found a problem? Tell us

Found something? Email [email protected] with a clear description and reproduction steps. We acknowledge security reports within one business day, prioritize fixes by impact, and credit reporters in release notes when they want it.

Please don't test against other customers' data, run automated denial-of-service, or escalate beyond confirming a vulnerability. We won't take legal action against good-faith research that stays within these limits.

Compliance work in progress

We are tracking SOC 2 and ISO 27001 readiness. We will not claim certification until we actually hold it — the marketing site, sales decks, and dashboard trust strip all reflect current reality. Ask for our security questionnaire if you need one for procurement.