← Back to Platform

Security & Data Policy

AL Performance Ltd — ALP Platform (app.alperformance.co.uk)

Last updated: March 2026 · Version 1.0

Contents
1. Overview 2. Platform Architecture 3. Authentication & Session Management 4. Authorisation & Role-Based Access 5. Data Storage & Encryption 6. Third-Party Integrations 7. Data Handling & Retention 8. Client Data Protection 9. Network & Transport Security 10. Audit Trail & Monitoring 11. Incident Response 12. User Responsibilities 13. Regulatory Compliance 14. Contact & Reporting

1. Overview

The ALP Platform is an internal business application operated by AL Performance Ltd for managing contact centre audits, client relationships, project tracking, ticketing, knowledge management, training, and time tracking. This policy documents the security controls, data handling practices, and privacy measures in place across the platform.

This policy applies to all users of the ALP Platform, including employees, contractors, and any third-party personnel granted access.

2. Platform Architecture

2.1 Infrastructure

ComponentProviderPurpose
Frontend HostingNetlifyStatic site hosting with global CDN, automatic HTTPS
Backend DatabaseSupabase (PostgreSQL)Structured data storage with Row Level Security
Serverless FunctionsNetlify FunctionsAPI proxy for Five9, Google Calendar, Claude AI, user invitations
AuthenticationSupabase AuthEmail/password authentication with JWT tokens
AI ProcessingAnthropic Claude APIAudit report generation and data analysis
Calendar IntegrationGoogle Calendar APIEvent management via OAuth2
VCC DataFive9 Admin SOAP APIContact centre configuration extraction for audits

2.2 Content Security Policy

The platform enforces a Content Security Policy (CSP) via HTTP headers that restricts script sources, style sources, connection endpoints, and frame embedding. Only trusted CDNs (jsdelivr, cloudflare, quilljs, Google Fonts) are permitted for external resources.

3. Authentication & Session Management

3.1 Authentication Method

3.2 Session Management

3.3 Multi-User Isolation

4. Authorisation & Role-Based Access Control

4.1 Role Hierarchy

RoleAccess LevelDescription
OwnerFull accessComplete platform control including user management, settings, and all modules
AdminFull accessSame as Owner — manages users, roles, and platform configuration
ManagerManage + ViewCan create, edit, and delete across all operational modules. Can invite users.
ConsultantOperate + ViewCan run audits, manage assigned tasks and tickets, log time, schedule events
ViewerRead-onlyCan view all data but cannot create, edit, or delete

4.2 Permission Groups

GroupPermissions
AdminPlatform Settings, Manage Roles, Manage Users, Invite Users
CRMView Clients, Create/Edit Clients, Manage Contacts, View Pipeline, Create/Edit Deals
ProjectsView Projects, Create/Edit Projects, View Tasks, Create/Edit Tasks
TicketsView Tickets, Create/Edit Tickets, Assign Tickets
AuditView Reports, Run Audits, Export Audit Reports
KnowledgeView Knowledge Base, Upload/Edit Documents, View SOPs, Create/Edit SOPs
TrainingView Training, Create/Edit Programs
Time TrackingView Time Entries, Log/Edit Time, Time Reports & Budgets
CalendarView Calendar, Create/Schedule Events

4.3 Database-Level Security

PostgreSQL Row Level Security (RLS) is enabled on all tables. Policies require auth.role() = 'authenticated' for all read and write operations. Unauthenticated requests receive zero data.

5. Data Storage & Encryption

5.1 Data at Rest

5.2 Data in Transit

5.3 Browser-Side Caching

6. Third-Party Integrations

6.1 Five9 VCC Integration

6.2 Google Calendar Integration

6.3 Anthropic Claude AI

6.4 Supabase

7. Data Handling & Retention

7.1 Data Categories

CategoryExamplesStorage
User accountsName, email, role, last activeSupabase (users table)
Client dataCompany name, contacts, dealsSupabase (clients, contacts, deals tables)
Audit dataVCC configs, findings, reports, interview notesSupabase (audits table, JSONB payload)
Project/Task dataProjects, tasks, subtasks, commentsSupabase (projects, tasks tables)
TicketsSupport tickets, comments, SLA dataSupabase (tickets, ticket_comments tables)
DocumentsKnowledge Base uploads, SOPsSupabase (kb_documents, sop_documents tables)
Time entriesDuration, project, client, descriptionSupabase (time_entries table)
Calendar tokensGoogle OAuth access/refresh tokensSupabase (google_tokens table, per-user RLS)
NotificationsActivity alerts, mentionsSupabase (notifications table)

7.2 Retention

7.3 Data Export

8. Client Data Protection

Client data extracted during Five9 audits may contain personally identifiable information (PII) including phone numbers, names, and contact records. The following controls apply.

9. Network & Transport Security

10. Audit Trail & Monitoring

11. Incident Response

In the event of a suspected security incident:

  1. Identify — determine the nature and scope of the incident
  2. Contain — revoke affected credentials, disable compromised accounts, rotate API keys
  3. Investigate — review Supabase auth logs, Netlify function logs, and activity trail
  4. Notify — inform affected users and clients within 72 hours where personal data is involved
  5. Remediate — deploy fixes, update security controls, document lessons learned
API keys (Anthropic, Google) can be rotated immediately via their respective consoles. Supabase tokens can be invalidated by revoking sessions in the Supabase dashboard.

12. User Responsibilities

13. Regulatory Compliance

13.1 UK GDPR

The platform processes personal data (user accounts, client contact details) in accordance with UK GDPR principles. AL Performance Ltd is the data controller. Supabase (data processor) maintains SOC 2 compliance and stores data on encrypted AWS infrastructure.

13.2 Data Processing

13.3 Ofcom / Contact Centre Compliance

The audit tool includes built-in checks for Ofcom compliance (call abandonment rates, CLI/ANI presentation, silent call thresholds). These checks analyse configuration data only — no live calls are intercepted or recorded by the platform.

14. Contact & Reporting

For security concerns, data requests, or policy questions: