AlignAlignAlignAlign
Sign inJoin the waitlist

Data Protection & Security Addendum

Baseline administrative, technical, and organizational safeguards.

Published Effective June 5, 2026 Version 1.0 Governing law: State of Texas Alignsoft, Inc., a Texas corporation

1. Purpose

This Data Protection and Security Addendum describes baseline administrative, technical, and organizational safeguards for the Align Services. It is intended to support the Terms of Service and Data Processing Addendum.

2. Security Governance

  • Align will maintain a security program appropriate to the nature of the Services and Customer Content.
  • Align will assign internal responsibility for security, privacy, incident response, and access control.
  • Align will review security controls periodically and after material platform changes.
  • Align will maintain internal policies for access, change management, incident response, and data handling.

3. Access Controls

  • Authentication for operator access is managed through a supported identity provider.
  • Role-based access controls apply to tenant workspaces and platform administration.
  • Enterprise custom roles may be supported where available under the applicable plan.
  • API keys and personal access tokens are scoped and should be limited to least privilege.
  • Raw API keys and personal access tokens should not be stored by Align after issuance, except where needed for delivery secrets or service operation.
  • Administrative access should be limited to authorized personnel with a business need.

4. Encryption and Secret Handling

  • Customer connections to the Services should use TLS where supported.
  • Sensitive tokens should be hashed where feasible.
  • Webhook signing secrets are used to sign outbound webhook deliveries.
  • Customer is responsible for protecting API keys, webhook secrets, access tokens, and other credentials outside the Services.
  • Secrets used for production operations should be stored in an approved secrets manager.

5. Audit Logging and Integrity

Align maintains audit events for state-changing actions and security-relevant activity. Audit logs may include actor, action, target, time, IP address, user agent, request identifier, metadata, and other operational details.

Align may use hash-chain or similar techniques to support audit integrity. Customer should not treat logs as a complete legal record unless the relevant workflow, retention settings, and export process are validated for the transaction.

6. Application Security

  • Partner API access uses bearer API keys and scoped permissions.
  • Sandbox and live environments should be logically distinguished.
  • Idempotency keys may be required for selected write operations.
  • Rate limits may be applied to protect service availability.
  • Session and access tokens should be time-limited and revocable where implemented.
  • Customer-configured webhooks should be signed and retried according to the Documentation.

7. Data Segregation

Customer Content will be logically segregated by tenant or workspace. Customer access to objects and records should be enforced through application authorization checks and object access controls.

8. Availability and Resilience

  • Align will use commercially reasonable measures designed to maintain service availability.
  • Background jobs may process email, webhooks, PDF rendering, audit streaming, billing reconciliation, retention purges, and related workflows.
  • Align may queue asynchronous work to avoid blocking customer requests.
  • Availability commitments, if any, are stated only in the Service Level and Support Policy or a signed order form.

9. Vulnerability Management

  • Align will evaluate reported vulnerabilities according to severity and exploitability.
  • Align may perform dependency review, code review, automated scanning, and manual testing as appropriate.
  • Customers and researchers may report security issues to security@alignsoft.us.
  • Align will prioritize remediation based on risk, impact, affected systems, and available mitigations.

10. Incident Response

  • Align will maintain an incident response process for suspected or confirmed security incidents.
  • Align will investigate, contain, mitigate, and remediate incidents as appropriate.
  • Customer notification obligations for Customer Personal Data are governed by the Data Processing Addendum.
  • Incident notices are not admissions of fault or liability.

11. Customer Responsibilities

  • Configure roles and workspace access carefully.
  • Use least privilege for API keys and personal access tokens.
  • Rotate credentials when personnel leave or compromise is suspected.
  • Validate webhook signatures and deduplicate delivery identifiers.
  • Use sandbox keys only for testing.
  • Select authentication methods appropriate for the workflow and data sensitivity.
  • Review audit logs and security settings.
  • Avoid submitting prohibited data unless authorized by a signed agreement.

12. Limitations

This Addendum describes baseline security measures but does not guarantee that the Services are immune from all security threats. Customer remains responsible for Customer systems, Customer applications, endpoint devices, identity decisions, and Customer Content.

End of document

Last reviewed: June 5, 2026 · Version 1.0 · Published.

Back to library
Also on this shelf

Privacy & data

Privacy Policy
What we collect, why we collect it, and how it is protected.
Published
Cookie Notice
Cookies and similar technologies used across our marketing and product surfaces.
Published
Data Processing Addendum
GDPR-compliant processor terms with Standard Contractual Clauses.
Published
Retention & Deletion Policy
How long we keep data, deletion requests, and legal holds.
Published