Security is an integral part of ALITEO’s development, not an additional layer. This document is intended for customers, partners and security teams who need to understand how ALITEO protects their data.
In this document, we describe security and data protection from the perspective of infrastructure, product, operations and regulatory compliance.
The ALITEO security program is built on the following principles:
ALITEO operates its infrastructure exclusively on the Microsoft Azure platform. Microsoft manages the physical security and compliance of the cloud infrastructure; ALITEO manages the security of the software and customer data within this infrastructure.
The platform is built on .NET 8 and is continuously upgraded to current long-term support versions. The architecture uses Azure App Services, Azure Functions and Azure CDN for static content distribution.
The primary data store is Azure Database for MySQL – a fully managed relational database. In addition, the system uses Elasticsearch for full-text search and Redis for distributed cache and session storage.
Authentication Data
Login and session data is managed by Azure Active Directory B2C. Passwords are not stored in the ALITEO database – authentication is fully handled by Azure B2C. After login, the application receives only tokens (OpenID Connect); ALITEO never sees or stores the user’s password.
Company Data
All organization data is stored: projects, tasks, schedules, portfolios, reports and uploaded attachments. Data is logically separated by company identifier (see Multi-tenancy below).
User Data
User profiles are stored in the system – name, email address and preferences. User data is separated by user identifier.
Attachments and database backups are stored in Azure Blob Storage. Attachments originating from cloud platforms (Microsoft 365, Google Drive) are stored as links to the source platforms and are not physically copied to ALITEO storage.
Customer data enters the system through HTTPS requests from a web browser or mobile application. Features requiring real-time communication use WebSocket connections encrypted via the WSS (WebSocket Secure) protocol. Data is processed by application services on Azure App Service and Azure Functions and stored in Azure Database for MySQL. Attachments are stored in Azure Blob Storage. Full-text search is provided by Elasticsearch.
Customer data (databases, files, backups) is stored exclusively in European Azure regions. AI components use regions according to the table below:
| Purpose | Region |
|---|---|
| Primary production | North Europe (Dublin, Ireland) |
| Geo-redundant backup (data backups only) | West Europe (Amsterdam, Netherlands) |
| Embedding models for semantic search | Sweden Central |
| RAG embedding models and AI Search index | France Central |
| AI assistant – language model (LLM) | East US 2 |
Primary customer data is stored exclusively in the primary European region. Geo-redundancy applies only to data backups – backup copies are stored in the West Europe region. The primary database is not geographically replicated in real time. AI assistant requests are processed by a language model in the East US 2 region; data is not persistently stored in this region.
Encryption in Transit
All communication between the client and server takes place via HTTPS (TLS 1.2 and higher) or WSS (WebSocket Secure). Unencrypted HTTP connections are automatically redirected to HTTPS.
Encryption at Rest
| Layer | Mechanism |
|---|---|
| Azure Database for MySQL | AES-256, keys managed by Microsoft |
| Azure Blob Storage | AES-256, keys managed by Microsoft |
| Sensitive records in the database (tokens, API keys) | Application-level encryption; encryption keys in Azure Key Vault |
Tokens and other sensitive records are encrypted at the application level before being written to the database. Keys are managed separately in Azure Key Vault; all access to keys is identity-controlled and audited.
ALITEO is a multi-tenant web application – infrastructure is shared between customer instances. Data separation is ensured at the application level by two independent keys:
Access to another user’s or company’s data is not possible. A task can only be assigned to a user who is a member of the given company; task escalation can only be performed by a member of both participating companies. Each record in the database contains a tenant identifier, which is validated at the application level for every request.
ALITEO distinguishes multiple ways in which a user may gain access to an organization’s data (so-called entry points). In addition to standard logged-in users, the system also supports anonymous followers – users who can follow selected objects without a full account. All these entry points are controlled and audited; access to organization data is always tied to explicit permission granted by an administrator.
ALITEO is built on Microsoft Azure, which provides horizontal scalability of services. The database is operated as a fully managed service with automatic failover.
Backups
Database backups are performed in two modes: full backup once a day and incremental transaction log backup at short intervals. This allows the database to be restored to any point in time if needed. Backups are stored in geo-redundant storage (backup region West Europe) and have the same level of protection as production data.
Azure B2C and Passwords
Login is performed exclusively through Azure Active Directory B2C. The user’s password is entered only on pages hosted by Microsoft – ALITEO never sees or stores the password. This also applies to mobile devices, where login takes place in the system browser, not inside the application.
All sensitive login credentials and API keys are stored in Azure Key Vault. Applications access Key Vault through managed identities.
Single Sign-On
ALITEO supports login via Google account. In version 26.1 (planned for release by the end of summer 2026), enterprise Single Sign-On support will be available in two variants:
Customers interested in early access can contact us at .
Adding users to the organization – both internal and external – is reserved exclusively for the organization administrator. No other role has permission to add members. The administrator can deactivate any user’s access at any time.
Organization administrators (admins) in ALITEO can:
Access rights in ALITEO are defined by a combination of roles and permissions assigned to specific objects (projects, teams, portfolios, document folders and others). Each user is marked as internal or external; external members always have limited permissions compared to internal members. A detailed description of roles, membership types and their permissions is part of the ALITEO product documentation.
Users can export selected own data within the application; the availability of this function depends on the user’s role and the configuration of the given component. Data deletion can be carried out upon request through ALITEO support.
ALITEO is a web SaaS application. Users access data through a web browser or mobile application.
The platform is built on .NET 8 and is continuously updated to current LTS versions. Development is carried out with an emphasis on security principles. We regularly perform internal security reviews focused, among other things, on:
Code changes pass through automated tests and manual code review. Before deployment to production, changes are verified in a test environment.
ALITEO provides a REST API that enables programmatic access to platform data. API request authentication is performed using an API key issued at the organization level.
ALITEO integrates with the following external platforms:
| Platform | Purpose |
|---|---|
| Microsoft Graph API | Integration with calendar and contacts (Microsoft 365) |
| Google Calendar API | Integration with Google Calendar and contacts |
| Azure AI Services | AI assistant – language model and RAG embedding models |
| Azure OpenAI | Embedding models for semantic search |
| Azure AI Search | AI assistant search index (RAG architecture) |
| SendGrid | Sending email notifications |
| GoPay | Payment gateway |
AI Assistant
AI functionality is operated as a separate, isolated service separated from the main application. This architecture ensures that the AI component accesses only the data necessary for the given function and does not have access to other parts of the system.
Requests are processed through Azure AI Services and Azure OpenAI models within Microsoft infrastructure. Microsoft’s data protection terms apply to data processing; customer data is not shared with external AI providers outside this agreement. Customer data processed by models is not used to train foundation AI models ().
Data processed through other third-party applications is processed only to the extent necessary to provide the given function.
Information security is the responsibility of a designated representative of company management. Security policies are regularly reviewed within the Information Security Management System (ISMS) certified according to ISO/IEC 27001. Security incidents and serious vulnerabilities are escalated to management level.
ALITEO considers all customer data confidential regardless of its classification. Access to confidential information is limited exclusively to employees who need it to perform their work, and only to the necessary extent.
All ALITEO employees and contractors are contractually bound by confidentiality obligations. Access to production systems and customer data is governed by the principle of least privilege. Access is managed through Azure Managed Identities – developers access production data only in defined and justified cases.
The physical security of data centers is provided by Microsoft within the Azure platform. Microsoft maintains global standards for the physical protection of its data centers.
Communication between individual system components is limited only to expected and defined flows through Azure infrastructure configuration.
ALITEO performs internal security reviews focused on identifying vulnerabilities in both the application and infrastructure. Security deficiencies are assessed according to severity and remediated within an appropriate timeframe.
ALITEO has defined procedures for responding to security incidents. In the event of a security breach, affected customers are informed without undue delay from the discovery of the incident, in accordance with GDPR requirements.
ALITEO uses Azure geographic redundancy to ensure disaster recovery:
Data Retention
Customer data is retained for the duration of the contractual relationship and subsequently according to the terms specified in the Terms and Conditions.
Data Disposal
Upon request by the customer or their authorized representative, ALITEO will delete customer data.
ALITEO monitors system operation and availability through several tools:
Application logs are retained for 30–90 days.
ALITEO carefully selects third parties that meet data protection and security requirements consistent with our own standards. Contractual relationships with vendors include commitments to protect customer data.
Personal data processing terms, contractual terms and SLA are available at .
ISO/IEC 27001
The operator of the ALITEO platform, KARAT Software a.s., is certified according to ISO/IEC 27001 for its Information Security Management System (ISMS). The certification confirms that processes and controls in the area of information security have been verified by an independent third party.
ALITEO acts as a personal data processor within the meaning of the GDPR regulation (General Data Protection Regulation). The personal data processed includes the first name, last name and email address of system users.
Steps ALITEO has taken to comply with GDPR:
DPA (Data Processing Agreement)
In accordance with GDPR, ALITEO enters into a Data Processing Agreement (DPA) with customers automatically as part of accepting the contractual terms. ALITEO undertakes to process personal data exclusively according to the controller’s instructions and in accordance with GDPR requirements. Security incidents are reported without undue delay from their discovery.
Copyright 2025 KARAT Software
All rights reserved
Copyright 2025 KARAT Software
All rights reserved
