Data Security at Altera

Altera processes clients' financial, accounting and document data in a cloud environment designed for confidentiality, availability and access control.

We use company-level data separation, granular user permissions, controlled administrative access, backups, technical monitoring, short-term error diagnostics and incident response procedures.

Key information

Primary environment: AWS, Frankfurt region

DR region: AWS Stockholm, eu-north-1

RPO: up to 4 hours

RTO: up to 24 hours

Administrative access: limited to authorized persons

Service access to client data: only in the context of a support request, time-limited, as standard up to 24 hours

User login: AWS Cognito, Google/Apple/Microsoft SSO options

Permissions: roles and permissions per company

Monitoring: CloudWatch, Sentry, Lumigo

Service status: https://altera-app.statuspage.io/

Security contact: security@altera.co

Hosting and infrastructure

Altera production runs on AWS infrastructure. Client data is stored and processed primarily in the Frankfurt region. For business continuity, we maintain backup and data replication mechanisms to another AWS region.

Access control

Access to Altera production systems is limited to authorized persons. Administrative access is protected by SSO/MFA and granted according to the principle of least privilege.

User permissions

The client manages users and permissions independently within its company. A user may have access to multiple companies, but permissions are granted separately in the context of each company.

Service access to client data

In the case of a support request, Altera may grant temporary access to the client company context to reproduce and resolve the issue. Such access is linked to the request, time-limited, as standard up to 24 hours, and logged.

Monitoring and diagnostics

Altera uses technical monitoring and short-term request/response diagnostics to detect errors, analyze incidents, ensure service stability and handle client support requests. Diagnostic data in Lumigo is retained as standard for 14 days. Access to production data in Lumigo is limited to an authorized person. Secrets, tokens, passwords and credentials are masked.

Backup and business continuity

Altera maintains database backups as well as file backups and replication. Declared parameters: RPO up to 4 hours, RTO up to 24 hours, database backup retention up to 30 days, file backup retention after deletion from the system up to 60 days, restore tests quarterly.

AI/OCR and automated document processing

Altera uses AI/LLM models for automated reading, classification and completion of data from documents. OpenAI and Google AI/Gemini models are used alternatively, depending on the process and configuration. Automated processing results are presented to the user for verification.

Open Banking

The Open Banking module is activated separately and uses the EasyCheck partner. Altera does not initiate payments from the client's account. Payment features in Altera include preparing payment batches or payment QR codes. Account, balance and transaction history data is processed to the extent needed for the Open Banking module.

Subprocessors

The current list of subprocessors and technical providers is available at https://altera.co/en/data-processing .

Vulnerability reporting

Security issues can be reported to security@altera.co. The report should include a vulnerability description, reproduction steps, potential impact, reporter contact details and information whether the vulnerability has already been publicly disclosed.