Built for businesses
that handle real data.
Alfred works with patient lists, customer histories, and revenue data — the stuff that should never leak. Here’s exactly how we protect it.
How Alfred protects your data
Six commitments
that aren’t theater.
We’re not going to pretend we’re Fort Knox. We’re an early-stage product. But here’s what we actually do — written without compliance buzzwords.
HIPAA-aware infrastructure
Alfred runs on Supabase Pro and AWS — both BAA-eligible. We sign a BAA before any healthcare org onboards real patient data. Messages stay PHI-safe by design: protocol or treatment type only, never lab values or diagnoses.
Encrypted end-to-end
TLS 1.2+ in transit. AES-256 at rest. Database backups encrypted. Secrets stored in Vercel encrypted env vars and never logged. Nothing readable in flight or in storage by anyone outside your authorized team.
Per-organization data isolation
Every customer record is scoped to your organization in our database via Postgres row-level security. Other Alfred customers cannot see your data — period. Auth tokens are scoped per-org, every API call is enforced.
One-click approval queue
Alfred drafts, you approve. No autonomous send goes out without your explicit click. Rate limits prevent runaway sends. Every outbound message is logged with who approved it, when, and to whom — full audit trail.
You own your data
Your contacts, journeys, message history, and approvals are yours. Export a CSV of everything any time. Delete your account and we purge in 30 days. We will never sell, rent, or pre-train models on your customer data.
Audit-ready logging
Every send, every approval, every login, every API call is timestamped and logged for 12 months. Need to show your compliance officer who messaged whom and when? Export the audit trail in one click.
An honest note
We’re an early-stage company. We don’t have SOC 2 Type II yet (it’s on the 2026 roadmap). We don’t have ISO 27001. We can’t honestly claim a 99.99% SLA — we’re building toward 99.9%.
What we do have: HIPAA-eligible infrastructure, a BAA we’ll sign before you onboard PHI, encryption at rest and in transit, per-org data isolation, and an approval queue that means nothing autonomous goes out without you tapping approve.
If your compliance team needs more, email hello@alfred-intelligence.com and we’ll send our security posture documentation under NDA, walk through your specific requirements, and tell you honestly whether we’re ready for your environment.
Frequently asked
Specifics, not slogans.
Will Alfred sign a Business Associate Agreement (BAA)?
Yes. Before any HIPAA-regulated organization onboards real patient data, we sign a BAA covering Supabase, our infrastructure, and the messaging surface. Email hello@alfred-intelligence.com to start the process.
Where is data stored?
Primary database is Supabase Pro on AWS US-East. Backups are encrypted and retained for 7 days for point-in-time restore. We do not replicate to non-US regions without explicit customer agreement.
Who at Alfred can see my data?
Production database access is limited to two named engineers under signed confidentiality. We do not browse customer data for fun, never use real customer messaging in marketing, and never train models on your data without explicit opt-in.
What happens if I delete my account?
We purge your contacts, message history, and journey data within 30 days. Audit logs are kept for 12 months for compliance, then permanently deleted. You can request immediate deletion of all data at any time.
Does Alfred send PHI in messages?
No. Alfred is designed to send protocol-level or treatment-type references only ("your peptide refill is due", "your hormone follow-up"). It never includes lab values, diagnoses, or anything that would expose protected health information beyond appointment context.
Are you SOC 2 certified?
Not yet. We are HIPAA-aware and BAA-eligible today, and SOC 2 Type II is on our 2026 roadmap. If your organization requires SOC 2 before contract, contact us — we can share our security posture documentation under NDA.
What if Alfred sends a wrong message?
It cannot — without your explicit approval. Every message Alfred drafts queues in your approval inbox. You see the recipient, the content, the trigger, and the timing before you tap approve. Alfred never auto-sends a draft.
How do you protect against compromised accounts?
Multi-factor authentication is available on every plan. Suspicious login locations trigger alerts. Failed-attempt rate limiting blocks brute-force attacks. We recommend enabling MFA on all owner-tier accounts.
Trust is the product.
Try Alfred risk-free.
14-day free trial. No card. No pressure. If we’re not the right fit for your compliance posture, we’ll tell you ourselves.