Built for due diligence

Security & privacy.

Cross-asset risk research is only useful if the system holding it can be trusted. Sentealpha was built for institutional due diligence from day one — edge-gated access, append-only audit, role-based authorization, and signature-verified cross-zone calls. Every layer independent and individually auditable.

Built for due diligence

Security & privacy.

Cross-asset risk research is only useful if the system holding it can be trusted. Edge-gated access, append-only audit, role-based authorization, and signature-verified cross-zone calls — every layer independent and individually auditable. Full architecture available to evaluators on access approval.

Edge access

Cloudflare Access gateway
Every authenticated route sits behind Cloudflare Access. Per-user one-time-passcode authentication establishes a 24-hour session; revocation propagates in seconds. The origin host is never reachable from the public internet — outbound tunnel only, no port-forward.
  • Per-user OTP · 24h session · sub-5s revocation
  • Origin host IP never publicly reachable

Authorization

Role-based access control
Five roles — visitor, free, pro, institutional, admin — checked against a default-deny capability matrix on every gated endpoint. Sensitive operations (audit export, GDPR erasure, key rotation) require a fresh time-based one-time password on top of the standard session, and are logged twice (attempt and completion).
  • Forty actions enumerated · default-deny on missing pair
  • Per-tier rate limits prevent runaway use

Audit trail

Append-only usage log
Every authorization check, every gated request, every administrative action writes to an append-only audit log. The store is partitioned by month for query performance; entries cannot be modified after write — even by the operator. Retention is at least 90 days; longer on contractual request.
  • Per-event request ID + hashed IP + hashed payload (no raw PII)
  • Append-only enforced at the database role level

Defense in depth

Multiple independent safety nets
Edge controls, transport controls, and runtime controls are independent and individually auditable. A failure in any single layer does not compromise the others. Every server-rendered page carries a per-request content-security-policy nonce; every cross-zone token is signature-verified before any backend call resolves.
  • RS256 signature verification on every authenticated request
  • Cloudflare WAF Managed Ruleset (caught 3× CVE-2025-55182 React RCE)

Data Processing Agreement, incident response runbook, and quarterly disaster-recovery drill summary available to institutional buyers on evaluation call.

Framework alignment

We speak the language of due diligence.

Sentealpha's architecture maps to the controls institutional buyers verify in evaluation. We are not yet SOC 2 audited; the audit is targeted Q4 2026 conditional on first institutional pilot signing — the cost is gated to revenue.

SOC 2

CC6.1 · CC6.3 · CC7.2 · CC6.6

Logical access · monitoring · boundary protection

ISO 27001

A.9.2 · A.9.4 · A.12.4 · A.13.1

User access · system access · logging · network

NIST 800-53

AC-2 · AC-3 · AU-9 · SC-7

Account · access · audit protection · boundary

Need more depth?

Full architecture document (12 sub-domains, 99 locked decisions), Data Processing Agreement, incident response runbook, and quarterly disaster-recovery drill summary are shared with institutional buyers on evaluation call.

Email [email protected]Back to landing