The ALP Platform is an internal business application operated by AL Performance Ltd for managing contact centre audits, client relationships, project tracking, ticketing, knowledge management, training, and time tracking. This policy documents the security controls, data handling practices, and privacy measures in place across the platform.
This policy applies to all users of the ALP Platform, including employees, contractors, and any third-party personnel granted access.
2. Platform Architecture
2.1 Infrastructure
Component
Provider
Purpose
Frontend Hosting
Netlify
Static site hosting with global CDN, automatic HTTPS
Backend Database
Supabase (PostgreSQL)
Structured data storage with Row Level Security
Serverless Functions
Netlify Functions
API proxy for Five9, Google Calendar, Claude AI, user invitations
Authentication
Supabase Auth
Email/password authentication with JWT tokens
AI Processing
Anthropic Claude API
Audit report generation and data analysis
Calendar Integration
Google Calendar API
Event management via OAuth2
VCC Data
Five9 Admin SOAP API
Contact centre configuration extraction for audits
2.2 Content Security Policy
The platform enforces a Content Security Policy (CSP) via HTTP headers that restricts script sources, style sources, connection endpoints, and frame embedding. Only trusted CDNs (jsdelivr, cloudflare, quilljs, Google Fonts) are permitted for external resources.
3. Authentication & Session Management
3.1 Authentication Method
All users authenticate via email and password through Supabase Auth
Passwords are hashed using bcrypt (handled by Supabase — never stored in plaintext)
New users are created via admin invitation only — there is no public self-registration
Invited users receive a secure link to set their password
3.2 Session Management
Sessions are managed via JWT tokens issued by Supabase Auth
Tokens are stored in the browser and automatically refreshed
An inactivity timeout of 2 hours is enforced — users are automatically signed out after 2 hours of no interaction (clicks, keystrokes, scrolling, touch)
On sign-out, all cached session data and authentication tokens are cleared from the browser
Each page verifies the session on load — unauthenticated requests are redirected to the login page
3.3 Multi-User Isolation
Each authenticated user is identified by their unique Supabase Auth ID
Sidebar user displays, activity logs, time entries, and notifications are resolved against the authenticated user's identity
Google Calendar tokens are stored per-user — each user connects and sees only their own calendar
4. Authorisation & Role-Based Access Control
4.1 Role Hierarchy
Role
Access Level
Description
Owner
Full access
Complete platform control including user management, settings, and all modules
Admin
Full access
Same as Owner — manages users, roles, and platform configuration
Manager
Manage + View
Can create, edit, and delete across all operational modules. Can invite users.
Consultant
Operate + View
Can run audits, manage assigned tasks and tickets, log time, schedule events
Viewer
Read-only
Can view all data but cannot create, edit, or delete
View Time Entries, Log/Edit Time, Time Reports & Budgets
Calendar
View Calendar, Create/Schedule Events
4.3 Database-Level Security
PostgreSQL Row Level Security (RLS) is enabled on all tables. Policies require auth.role() = 'authenticated' for all read and write operations. Unauthenticated requests receive zero data.
5. Data Storage & Encryption
5.1 Data at Rest
All platform data is stored in Supabase PostgreSQL (hosted on AWS)
Database storage is encrypted at rest using AES-256 (managed by Supabase/AWS)
Audit project data (form entries, VCC configurations, findings, reports) is stored as JSONB in the audits table
File uploads in the Knowledge Base are stored within the database (planned migration to Supabase Storage for object-level encryption)
5.2 Data in Transit
All connections use HTTPS/TLS 1.2+ — enforced by both Netlify and Supabase
WebSocket connections to Supabase use WSS (encrypted WebSocket)
API calls to Five9, Anthropic, and Google are proxied through Netlify Functions over HTTPS
5.3 Browser-Side Caching
A localStorage cache is used for fast initial page rendering
Cache is cleared on sign-out to prevent data leakage between users
Sensitive credentials (Five9 passwords, API keys) are never stored in localStorage
Google Calendar OAuth tokens are stored in Supabase (server-side), not in the browser
6. Third-Party Integrations
6.1 Five9 VCC Integration
Connects via the Five9 Admin SOAP API using Basic Authentication
Credentials are entered per-session and not persisted to any storage
All API calls are proxied through a Netlify Function — credentials never reach the browser's network tab
Data is retained for the duration of the client engagement plus any agreed retention period
Audit data can be deleted by the audit owner at any time via the dashboard
User accounts can be removed by an administrator, which unassigns their tasks and tickets
Google Calendar tokens are deleted when a user disconnects or when their account is removed
7.3 Data Export
Administrators can export all platform data via the Admin panel (JSON format)
Audit reports can be exported as DOCX documents
Five9 report data can be exported as CSV
8. Client Data Protection
Client data extracted during Five9 audits may contain personally identifiable information (PII) including phone numbers, names, and contact records. The following controls apply.
Five9 credentials are provided by the client and used only for the duration of the audit session
Extracted VCC configuration data (campaigns, skills, dispositions) does not contain end-customer PII
Five9 reports (call logs, agent stats) may contain agent names and call metadata — these are stored within the encrypted audit payload
Mystery shop test data uses dedicated test numbers and names as documented in the audit methodology
All client data is isolated within individual audit projects and is not shared between audits or clients
9. Network & Transport Security
HTTPS enforced on all connections — Netlify provides automatic SSL certificates via Let's Encrypt
HSTS headers are set to prevent downgrade attacks
X-Frame-Options: DENY prevents clickjacking
X-Content-Type-Options: nosniff prevents MIME type sniffing
Content Security Policy restricts script/style/connection sources to trusted domains only
CORS on serverless functions is restricted to alpplatform.netlify.app
Five9 API calls use Basic Auth over HTTPS proxied through server-side functions
10. Audit Trail & Monitoring
User sign-in events are logged by Supabase Auth with timestamps and IP addresses
The activity_log table records key platform actions
All data records include created_at and updated_at timestamps
Notification system tracks task assignments, ticket updates, SOP publications, and mentions
Netlify provides function invocation logs and deployment audit trails
Supabase provides database query logs and auth event logs via the dashboard
11. Incident Response
In the event of a suspected security incident:
Identify — determine the nature and scope of the incident
API keys (Anthropic, Google) can be rotated immediately via their respective consoles. Supabase tokens can be invalidated by revoking sessions in the Supabase dashboard.
12. User Responsibilities
Use a strong, unique password for your ALP Platform account
Do not share your login credentials with anyone
Lock your device when stepping away — the platform will auto-sign out after 2 hours of inactivity
Report any suspicious activity or potential security issues immediately
Do not store client credentials (e.g. Five9 passwords) outside the platform
When conducting mystery shops, use dedicated test numbers as per the audit methodology
Do not export client data to personal devices or unsecured storage
13. Regulatory Compliance
13.1 UK GDPR
The platform processes personal data (user accounts, client contact details) in accordance with UK GDPR principles. AL Performance Ltd is the data controller. Supabase (data processor) maintains SOC 2 compliance and stores data on encrypted AWS infrastructure.
13.2 Data Processing
Personal data is processed on the lawful basis of legitimate interest (business operations) and contractual necessity (client audit engagements)
Data subjects can request access to, correction of, or deletion of their personal data by contacting the platform administrator
No personal data is sold or shared with third parties for marketing purposes
13.3 Ofcom / Contact Centre Compliance
The audit tool includes built-in checks for Ofcom compliance (call abandonment rates, CLI/ANI presentation, silent call thresholds). These checks analyse configuration data only — no live calls are intercepted or recorded by the platform.
14. Contact & Reporting
For security concerns, data requests, or policy questions:
Email: info@alperformance.co.uk
Platform Admin: Use the Admin panel to manage users and permissions
Security Issues: Report immediately to a platform Owner or Admin