AliTok Logo

Security

AliTok Information Security Program

This page describes the administrative, technical, and organizational controls AliTok uses to protect seller and operational data processed through the platform.

Last updated: March 19, 2026

Program commitments

  • Maintain written security and privacy documentation that is reviewed after material platform changes.
  • Restrict access to customer and seller data based on role, operational need, and tenant membership.
  • Use managed infrastructure, encryption protections, and credential handling practices appropriate for a small SaaS platform.
  • Investigate security reports promptly and communicate confirmed incidents to affected parties when required.

Access control

AliTok requires authenticated access for application users, verifies bearer tokens on protected API routes, and limits organization data access to active members of the relevant workspace.

  • Supabase authentication is used for user identity and session management.
  • Protected API routes verify tokens before processing requests.
  • Organization access checks enforce tenant separation.
  • Administrative access is limited to named operators and should use MFA-enabled accounts.

Application and infrastructure security

AliTok is deployed on managed cloud infrastructure and uses platform-level controls to reduce exposure of sensitive operational data.

  • Traffic is served over HTTPS.
  • Server-side secrets are kept in environment configuration and not exposed to client code.
  • Debug and test endpoints are disabled in production by middleware.
  • Scheduled jobs require a separate authorization secret before execution.
  • TikTok webhooks are signature-verified before processing.

Data protection

AliTok follows least-privilege and tenant-isolation principles when handling user, organization, product, and order data.

  • Supabase Row Level Security is used on tenant-sensitive tables.
  • Server routes use secret-scoped database credentials only when required.
  • Contact requests are rate-limited and persisted for operational follow-up.
  • Connected platform data is processed only for seller-authorized workflows.

Endpoint and operational security

AliTok maintains baseline security requirements for operator-managed endpoints and day-to-day administration.

  • Production administration is performed only from approved operator devices.
  • Workstations should use screen locking, password protection, OS security updates, and anti-malware protection.
  • Shared credentials are prohibited.
  • Secrets must be rotated if unauthorized access is suspected.

Incident response and breach notification

AliTok maintains a documented process for handling suspected security incidents, including credential compromise, unauthorized access, webhook abuse, and accidental disclosure. The standard response flow is:

  1. Triage incoming reports and classify severity.
  2. Contain affected access, credentials, endpoints, or integrations.
  3. Investigate scope, impacted data, and required remediation.
  4. Notify affected partners or users without undue delay when a reportable event is confirmed.
  5. Document corrective actions and update controls after the incident is closed.

Security contact

AliTok accepts support, privacy, and security requests through the public support channel. Security and privacy requests are triaged manually by the platform operator.

Email: info@alitok.ai

Support: Contact AliTok

Privacy: View Privacy Policy