Security

Effective: March 8, 2026

At Altivum, protecting your data is fundamental to how we build and operate Elo. This page describes the security measures we implement to safeguard your information.

1. Voice Audio Privacy

We do not store your voice audio. During a practice session, audio is streamed in real time between your device and our voice server. The audio is processed by Amazon Nova Sonic to generate conversation responses and a text transcript. Once the session ends, all audio data is discarded. Only the text transcript is retained for analysis and your records.

2. Data Encryption

In Transit

All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security). This applies to API requests, WebSocket connections for voice practice, and all other network communications.

At Rest

All stored data is encrypted at rest:

  • Amazon S3 — Server-side encryption (SSE) for transcripts, reports, and uploaded documents
  • Amazon DynamoDB — Encryption at rest enabled on all tables for session records, user data, and analysis results
  • Amazon Cognito — User credentials and authentication tokens are encrypted and managed by AWS

3. Authentication and Access Control

User authentication is managed by Amazon Cognito, which provides:

  • Secure password hashing and storage
  • JWT-based session tokens with expiration
  • Support for federated sign-in (e.g., Google)
  • Multi-factor authentication support

All API operations are authorized through our GraphQL layer (AWS AppSync), which verifies the caller's identity and enforces access controls on every request.

4. Per-User Data Isolation

Every user's data is strictly isolated. This is enforced at multiple levels:

  • Storage isolation — Each user's files (transcripts, reports, documents) are stored in a dedicated, user-scoped path in Amazon S3 that is not accessible to other users
  • Database isolation — All database queries are scoped to the authenticated user's identity. Server-side resolvers enforce ownership checks on every create, read, update, and delete operation
  • API-level enforcement — The user identity is derived from the authentication token on the server side and cannot be spoofed by the client. The API forcibly associates all operations with the authenticated user's identity

This means that even if a client were to manipulate request parameters, server-side authorization prevents access to another user's data.

5. Infrastructure Security

Elo runs entirely on Amazon Web Services (AWS), which provides the underlying infrastructure security:

  • Compute — Voice server runs on AWS Fargate (serverless containers) with no persistent servers to manage or patch
  • Network — Services communicate through AWS-managed private networking. External access is limited to designated endpoints behind load balancers
  • Secrets management — API keys, credentials, and sensitive configuration are stored in AWS Secrets Manager, not in source code or environment variables
  • Monitoring — We use AWS CloudWatch for logging, metrics, and alerting. Operational anomalies trigger automated alerts

We operate under the AWS Shared Responsibility Model, where AWS secures the underlying cloud infrastructure and we secure the application, data, and access controls built on top of it.

6. Application Security

  • Input validation — All user inputs are validated and sanitized on both client and server sides
  • Scan operations blocked — Our API prevents broad database scan operations that could expose data across users
  • Mutation authorization — All data modifications are authorized against the authenticated user's identity using server-side conditions
  • Webhook idempotency — External webhook integrations use conditional checks to prevent duplicate processing
  • Dead-letter queues — Failed asynchronous operations are captured in dead-letter queues with monitoring alerts, preventing silent data loss

7. Organization Security

For organizations using Elo:

  • Organization membership is verified on every org-scoped API request through a two-step pipeline: membership verification followed by data access
  • Organization documents used for practice augmentation are stored in isolated, organization-scoped storage
  • Administrator access to member data is limited to session reports generated within the organization's context

8. Incident Response

In the event of a security incident, we will:

  • Investigate and contain the incident promptly
  • Notify affected users within 72 hours of becoming aware of a confirmed data breach, as required by applicable law
  • Provide details about the nature of the incident, the data affected, and the steps taken to remediate
  • Report to relevant supervisory authorities as required by GDPR and other applicable regulations

9. Responsible Disclosure

If you discover a security vulnerability in Elo, please report it to us at security@altivum.ai. We take all reports seriously and will investigate promptly. Please do not publicly disclose any vulnerability before we have had an opportunity to address it.

10. Questions

If you have questions about our security practices, please contact us at:

Altivum Inc.
Email: security@altivum.ai

A product of Altivum Inc.