A4U® — Legal

Security

Last updated: May 2026

This page covers how we protect client data and how to report vulnerabilities.

Data handling

  • Client repositories live in your accounts, not ours. We get scoped, time-limited access.
  • Credentials and secrets are never committed to source control. We use environment variables, secrets managers, or your platform's native solution.
  • Production access is removed within 7 days of project close unless agreed otherwise.
  • Internal tools that need to touch client data require 2FA and SSO.

Disclosure policy

Found a security issue? Thank you. Please email security@alphaforyou.com with the details. We will:

  • Confirm receipt within 48 hours.
  • Investigate and reply with a triage within 5 working days.
  • Credit you in our disclosures page after the fix ships, unless you prefer anonymity.

Please don't publicly disclose before we've had a chance to fix it. We move fast.

Bug bounties

We don't currently run a paid bounty programme, but meaningful disclosures get a thank-you and a credit. For larger findings we may negotiate a reward case by case.

General questions: contact@alphaforyou.com.