Security

How we protect your data

AliasKit is built with a zero-knowledge architecture for card data and strict isolation for all resources. Here is exactly how your data is handled.

Card encryption

When you add a card to an agent identity, your full card number and CVC are encrypted on your device before being sent to our servers. AliasKit never sees or stores your plaintext card number or CVC. We store only an encrypted blob that we cannot decrypt.

Only the last 4 digits of your card number are stored in plaintext, so your dashboard can show which card is attached to each identity. Card brand, expiry, full number, and CVC are never stored in plaintext on our servers.

  • AES-256-GCM encryption with a per-user key that encrypts all cards for that user
  • Encryption and decryption happen exclusively on your device
  • Your card encryption key (ak_ck_...) is generated once and never sent to our servers
  • AliasKit cannot recover your card key or decrypt your card number and CVC
  • The encrypted card blob is permanently deleted when you cancel a card. Only the last 4 digits are retained for your activity history.
  • Every card reveal attempt is logged in an audit trail
  • Rate limited to 200 card reveals per organisation per day

We strongly recommend using a virtual card

Create a virtual card on your bank (Revolut, Monzo, Wise, or any bank that supports virtual cards) and set a spending limit on it. This is your primary safety net. If anything goes wrong, the damage is limited to the amount on the virtual card, not your main bank account.

  • Create a virtual card in your bank app in seconds
  • Set a spending limit (e.g. £50) directly on the card
  • Freeze or delete the card instantly from your bank app
  • Your main bank account is never exposed
  • Even if the card details leak, the blast radius is the card limit, not your account balance

Revolut, Monzo, and Wise all offer free virtual cards with instant creation and per-card spending limits. Any Visa or Mastercard from any bank will work with AliasKit.

Budget tracking and limitations

Each card has a configurable budget. When your agent requests the card details, AliasKit checks the declared spending amount against the budget and blocks the reveal if the budget would be exceeded.

  • Budget tracking is based on declared spending: what your agent reports it will spend, not actual bank transactions.
  • Recurring charges (subscriptions) and refunds are not tracked. For real spending data, check your bank app or virtual card dashboard.
  • Budget enforcement is advisory. Set hard spending limits on your bank's virtual card as your primary control.

Infrastructure security

  • All API traffic encrypted in transit with TLS 1.2+
  • Data at rest encrypted by our database provider (Supabase/PostgreSQL)
  • API keys are high-entropy random tokens (192-bit), hashed at rest with SHA-256
  • Row-level security (RLS) enforced on all database tables
  • Webhook payloads signed with HMAC-SHA256
  • Scoped API keys with granular permissions per resource

Organisation isolation

Every identity, email, phone number, card, and agent profile is isolated per organisation. API keys are scoped to a single organisation and cannot access resources belonging to other organisations. There is no cross-org data access.

Card reveal controls

  • Every reveal attempt is logged with IP address, user agent, amount, and outcome
  • Rate limited to 200 reveals per organisation per day
  • Budget check runs atomically with row-level locking to prevent race conditions
  • Reveal responses include no-cache headers to prevent browser/proxy caching
  • Failed reveals (budget exceeded, card frozen, rate limited) are logged with the reason

What we don't do

  • We do not process payments or charge your card. AliasKit is not a payment processor.
  • We do not hold your funds. There is no AliasKit balance or wallet.
  • We do not see your full card number or CVC. These are encrypted on your device and we cannot decrypt them.
  • We do not store your card encryption key. If you lose it, we cannot help you recover it.

Incident response

We will notify the relevant supervisory authority within 72 hours where required by applicable law. We will notify affected users without undue delay once the scope and impact of the incident has been assessed. If you discover a security vulnerability, please report it to security@aliaskit.com.