Legal
Security Statement
1. Introduction
This Security Statement describes the technical and organizational measures Hello Alice uses to protect your information. It covers our infrastructure, our operations, the AI advisor, and the role you play in keeping your account secure.
"Hello Alice," "we," "us," and "our" refer to Circular Board, Inc., a Delaware corporation doing business as Hello Alice.
This Security Statement works together with our Privacy Policy, which describes what information we collect and how we handle it.
2. How we protect your data
2.1 Encryption
- In transit. Connections to Hello Alice are protected by TLS 1.3, the current industry standard for transport-layer encryption. The entire application, including login pages and API endpoints, is encrypted in transit.
- At rest. All data is encrypted at rest using AES-256, applied at the database level. Encryption keys are managed through AWS Key Management Service (KMS) using AWS-managed keys.
2.2 Data segregation and isolation
User accounts are logically segregated from each other within our systems. Application-level access controls and database-level isolation prevent one user's data from being accessible to another user, including for AI advisor conversations.
2.3 Backups and recovery
We maintain regular off-site backups of user data so that we can recover from hardware failure, regional outage, or similar disruption. Our current Recovery Point Objective (RPO) is 24 hours and our Recovery Time Objective (RTO) is 24 hours. Backup retention is 14 days on a rolling basis.
2.4 Password handling
Account passwords are hashed using industry-standard algorithms. Hello Alice cannot view your password. If you forget your password, we can only help you reset it; we cannot resend it.
3. How we protect our environment
3.1 Access controls
Access to systems and data inside Hello Alice is governed by least-privilege principles. Employees and contractors are granted only the access they need to perform their work. We conduct access reviews on a quarterly basis and use just-in-time access for elevated privileges where applicable. When a team member leaves Hello Alice, access to critical systems is revoked immediately through our single sign-on (SSO) integrations.
3.2 Employee security
- All employees and contractors with access to customer data complete criminal background checks before they begin work in roles that require access to customer data.
- All employees sign a confidentiality and information security agreement.
- All employees complete regular security awareness training, including specific training on phishing, social engineering, and the handling of sensitive customer data.
- Engineering team members complete additional secure-coding training.
3.3 Vendor and subprocessor security
We assess the security posture of vendors before engaging them and on an ongoing basis. Vendors that process user data on our behalf are bound by written agreements that require them to apply protections no less protective than ours. Our Subprocessor List names the vendors we currently use and the categories of data each one processes.
3.4 Logging and monitoring
We log security-relevant events across our environment and review logs continuously to detect unusual activity, attempted intrusions, and other indicators of compromise. We use New Relic for monitoring and log aggregation, with alerting and escalation routed through New Relic, PagerDuty, and Slack integrations.
3.5 Cloud infrastructure
Hello Alice runs on Amazon Web Services (AWS) for AI and data services and on Vercel for front-end hosting. Both providers maintain their own substantial security programs and certifications. We operate within these providers' security models and apply additional controls on top.
4. How we verify our security practices
4.1 SOC 2 Type II
Hello Alice maintains a SOC 2 Type II attestation, an independent audit of our security controls over a multi-month period. Our most recent SOC 2 Type II audit was completed in June 2025 by Insight Assurance, and our next scheduled audit is in July 2026. SOC 2 reports are available to enterprise reviewers under NDA; to request access, contact compliance@helloalice.com.
4.2 PCI DSS
Hello Alice's environment, in coordination with our payment processor and card processor, complies with the Payment Card Industry Data Security Standard (PCI DSS) version 4.0, the current standard for handling payment card information.
4.3 Penetration testing
We engage Breachlock, an independent penetration testing provider, to conduct full-scope penetration tests of our environment at least annually. These tests cover external infrastructure, internal application security, and social engineering exercises against our employees. We remediate findings promptly and re-test where appropriate.
4.4 Continuous monitoring
Between formal audits, we monitor our security posture continuously through vulnerability scanning, secure configuration baselines, and ongoing review of access and activity logs.
5. AI advisor security
The AI advisor is the primary way most users interact with Hello Alice. Because of this, we want to be specific about the security controls we apply to it.
5.1 AI model access
We power the AI advisor using large language models from Anthropic, accessed through AWS Bedrock. User prompts and responses are processed within the AWS Bedrock environment. AWS Bedrock is configured so that user prompts and responses are not stored for logging or model-training purposes, and Anthropic does not receive user conversations outside the Bedrock channel or train on Bedrock-mediated conversations.
5.2 No training on your information
We do not use your personal information or AI advisor conversations to train AI models, ours or any third party's. See our Privacy Policy Section 4 for details.
5.3 Conversation isolation
User conversations with the AI advisor are isolated at the account level. One user's conversations are not accessible to other users through the AI advisor or through any other interface.
5.4 Internal access to conversations
Internal access to user AI conversations is limited to personnel who need access to maintain, troubleshoot, or improve the Services. Access is gated through authenticated access to our LLM observability platform (Langfuse), with the same identity controls applied to other Hello Alice tooling. We do not review user conversations as a routine practice.
5.5 Prompt injection and abuse mitigation
We apply controls within the AI advisor workflow to limit the advisor's response to inputs that attempt to manipulate it into bypassing its instructions, generating harmful content, or accessing data outside the scope of the conversation. These controls operate at the request-handling layer within the AI workflow.
6. Incident response
Hello Alice maintains a documented incident response program covering preparation, detection, containment, eradication, recovery, and post-incident review. The program is tested on a regular basis.
If we become aware of a security incident affecting your personal information, we will notify you and any required regulator within seventy-two (72) hours of becoming aware, unless a longer period is permitted by law or directed by law enforcement. This commitment matches the timing standard set by the EU General Data Protection Regulation and exceeds most U.S. state-law minimums.
When we notify you about an incident, the notice will include the information you need to evaluate the impact, the steps we are taking, and the actions you can take to protect yourself.
If you believe your account has been compromised or that your interaction with Hello Alice is no longer secure, please contact us immediately at compliance@helloalice.com.
7. Reporting security vulnerabilities
If you are a security researcher and you believe you have found a vulnerability in Hello Alice, please report it to us. We welcome reports made in good faith and will work with researchers to investigate and remediate confirmed issues.
See our Responsible Disclosure Policy for the structured intake channel, scope, and safe-harbor commitments for good-faith security research. You can reach our security team at security@helloalice.com.
8. Your role in account security
Security is a shared responsibility. The strongest controls we apply on our side can be undone by compromised credentials or careless device hygiene on your side. To keep your Hello Alice account secure:
- Enable multi-factor authentication. Multi-factor authentication is available through our identity provider, Auth0 (Okta). We strongly encourage you to enable it.
- Use a strong, unique password for Hello Alice that you do not use anywhere else.
- Keep your devices and browsers updated. Most account-takeover incidents start with outdated software.
- Be alert to phishing. If you receive an email or message claiming to be from Hello Alice that asks for your password or for sensitive personal information, do not respond and do not click on any links. Forward it to abuse@helloalice.com and delete it.
- Review your active sessions and connected accounts periodically through your account settings.
- Report concerns immediately. If you suspect unauthorized access to your account, contact us at compliance@helloalice.com so we can secure your account and investigate.
9. Insurance
Hello Alice maintains a comprehensive insurance program covering cyber incidents, data privacy incidents, errors and omissions, and general business liability. While insurance is not a substitute for security controls, it provides financial preparedness in the event of a serious incident.
10. Updates to this Security Statement
We may update this Security Statement from time to time to reflect changes in our practices, our vendors, or applicable standards. When we make changes:
- We will post the updated Security Statement with a new "Last Updated" date.
- For material changes that affect how we protect your information, we will provide additional notice as described in our Privacy Policy.
11. Change Log
This appendix logs notable updates to this Security Statement. The body of the Security Statement describes Hello Alice's current practices, not historical ones.
Version effective June 5, 2026
Notable updates in this version:
- Added a section describing security controls specific to the AI advisor, including model-access architecture, conversation isolation, and abuse mitigation (Section 5).
- Added a commitment to notify affected users and regulators of security incidents within seventy-two (72) hours of becoming aware (Section 6).
- Added a dedicated section on reporting security vulnerabilities, with a placeholder that will link to our Responsible Disclosure Policy once published (Section 7).
- Updated compliance references to current standards, including SOC 2 Type II and PCI DSS version 4.0 (Section 4).
- Named our independent penetration testing partner (Breachlock) and cloud infrastructure providers (AWS and Vercel) (Sections 3.5 and 4.3).
- Expanded the description of user-side account security practices (Section 8).
Contact
Questions about this Security Statement?
Email compliance@helloalice.com.
For our full contact details, see Section 14 of our Privacy Policy.