Security & data handling

How Signal handles your data.

Signal is a compliance tool, so it holds to the standard it helps you meet: clear about what it does with your data, straightforward about how it is built, and documented for the people who ask. Here is how it works, in plain terms.

Your data

It stays in your workspace.

What Signal holds, and what it does with it

  • What we store — the subjects you screen, the matches and dispositions you record, and the Screening Decision Records they produce. The working data of your reviews.
  • Scoped to you — every request runs against your workspace only. Isolation is enforced on every live route.

Isolation by design

Signal is multi-tenant, but your workspace is walled off at the query layer: every read and every write carries your workspace as a required predicate, and every query is parameterized. One workspace cannot reach another's data — the boundary lives in the query, not in convention.

Accounts & sessions

Authentication built the boring, correct way.

No clever shortcuts on the parts that protect an account.

  • Password storage — PBKDF2-SHA256 at 100,000 iterations with a per-user salt. Passwords are never stored in plaintext, and never recoverable — only verifiable.
  • Sessions — session tokens are random and stored only as hashes. The session cookie is httpOnly, Secure, and SameSite, so it is not readable from page scripts.
  • Abuse protection — sign-in, sign-up, and password reset run behind bot detection (Cloudflare Turnstile) and per-IP rate limiting.
  • Enumeration-safe reset — password reset never reveals whether an email has an account. Reset tokens are stored hashed, single-use, and expire.

Records & screening integrity

The record is the point, so it is built to hold.

What gets recorded

  • An immutable audit log — screening, review, disposition, escalation, and watchlist changes are written to an append-only log wired through the routes that matter.
  • Screening Decision Records — every resolved screen becomes a record of the subject, the sources queried, the matches considered, the disposition, and who decided.

Sources you can trust

  • Official lists only — Signal screens official government sanctions, exclusion, and debarment sources. Primary sources, kept current.
  • Change-tracked — every source is snapshotted on each sync with a per-sync change history, and a large unexplained drop in a list is blocked rather than applied silently.

The live source set, and each source's sync status, are always visible inside the product. That in-product view is the authority on what Signal currently covers.

Where it runs

Infrastructure.

Signal runs on Cloudflare's global network: Workers for compute, D1 for the database, R2 for source snapshots. Traffic is served over TLS, and D1 encrypts stored data at rest. There is no separate server for an attacker to reach or for you to patch — the app is the edge.

Who's in control

The decision stays with your reviewer.

Signal is built so a person owns every call — and can show exactly what that call was based on.

AI does the legwork; you decide

Signal never auto-clears a match. The AI separates likely matches from noise and drafts the reasoning — then a person makes the disposition, and the record names who. The answer to "who decided" is always a human.

You see exactly what was checked

Every screen shows the sources queried, the matches considered, and why each was kept or dismissed — so the decision, and the record behind it, is one you can stand on when someone asks later.

Documentation & disclosure

What we can share with your team.

Documentation on request

Security documentation, architecture detail, and answers to diligence questionnaires are available on request — email contact@altiratech.com and it comes back from the team that built the product.

Responsible disclosure

Found a security issue? Our security.txt lists how to reach us. Report it to ryan@altiratech.com and you'll get a response.

Questions from your security or compliance team?

Bring them to a demo, or send them over. We answer security and diligence questions directly — from the people who built the product.