Alia Security & Privacy Overview

This page summarizes how Alia protects data and approaches security, privacy, and compliance. Alia is an interactive popup and forms app built exclusively for Shopify that helps merchants grow email/SMS subscriber lists and conversions. Alia Software, Inc. is a Delaware corporation headquartered in New York, USA, and is part of the Dotdigital Group.

For copies of our Terms of Service, Privacy Policy, or Data Processing Agreement, see the Documents section. A SOC 2 report and our most recent penetration test summary can be provided on request (under NDA).

Hosting & data residency

Alia runs on Google Cloud Platform (GCP), with data stored only in the United States.
Cloudflare provides CDN, DNS, and web application firewall (WAF); it processes request traffic in transit.
Merchants cannot select a different storage region; all stored data resides in the US.

Sub-processors

Google Cloud Platform — all platform data and storage, including AI inference via Vertex AI within Google Cloud.
Cloudflare — CDN, DNS, and WAF.
Alia maintains data processing agreements (and Standard Contractual Clauses where applicable) with its sub-processors.
Destination integrations a merchant connects (for example Shopify or Klaviyo) are the merchant’s own connections and are not Alia sub-processors.

Data we process

Alia processes personal information such as name, email address, phone number, and postal address, and may process order data and browsing behavior.
Alia does not process payment-card data and has no PCI scope; the app captures email/SMS opt-ins and zero-party data, not transactions.
Visitors who do not submit a popup are tracked with a pseudonymous identifier (stored in browser localStorage) and an associated IP address; this is not linked to contact details unless the visitor opts in.
Information is classified by sensitivity under a formal data classification policy.

How data flows

Contact and zero-party data collected via popups is delivered to the merchant-configured integrations the merchant sets up, where the merchant accesses and manages it.
Alia does not send marketing emails or SMS messages itself; message delivery and unsubscribe handling are performed by the merchant’s own marketing platform.
For attribution, Alia operates a Shopify Web Pixel that, on order completion, sends only the Shopify order ID (with the merchant’s shop domain and Alia’s pseudonymous visitor token) to tie an order back to a visitor. It does not read payment, email, line-item, or order-total data.

Encryption

At rest: all data is encrypted using Google-managed encryption.
In transit: TLS 1.2/1.3.
Secrets and credentials are stored in a managed secrets vault, never in source code.

Data retention & deletion

End-consumer/individual data is retained for approximately 1 year by default.
The SMS opt-in consent record is retained up to 10 years to comply with SMS marketing regulations.
Pseudonymous visitor data is retained up to 1 year, or 48 hours after a merchant uninstalls, whichever comes first.
As a Shopify-native app, Alia honors Shopify’s data-deletion webhooks (sent 48 hours after a merchant uninstalls).
Individuals or merchants can request deletion at help@alialearn.com, actioned within a 7-day SLA. Merchants can also export their data via self-service tools.

Privacy & data subject rights

For end-consumer personal data, the merchant is the controller and Alia is the processor (a “service provider” under the CCPA).
Alia supports data subject rights (access, deletion, correction, opt-out) as described in the Privacy Policy.
Obtaining end-consumer consent for data collection and marketing is the merchant’s responsibility.
Practices are aligned with the CCPA and GDPR; international transfers rely on Standard Contractual Clauses where applicable.

Access control & authentication

Access follows role-based access control on the principle of least privilege.
Multi-factor authentication is enforced for staff across core platforms, and required for remote access.
Access rights are reviewed quarterly, and access is revoked promptly on termination.
Alia operates a multi-tenant database with row-level isolation, scoped per-merchant access tokens, and automated tests for tenant isolation.
The merchant dashboard is accessed via Shopify authentication, which supports MFA.

Application & supply-chain security

Secure SDLC: SAST, software composition analysis (SCA), and secrets detection in CI/CD; peer code review; and branch protection on production repositories.
Continuous automated dependency vulnerability scanning, plus a minimum-package-age policy to reduce exposure to compromised releases.
Production and development environments are fully isolated, and production data is never used in non-production environments.
Merchants enforcing a Content-Security-Policy should allow *.alia-prod.com.

Vulnerability management & penetration testing

Vulnerability remediation targets: Critical 3 days, High 30 days, Medium 60 days, Low 90 days.
No Critical or High findings deploy to production without an approved exception.
Independent third-party penetration testing is performed at least annually; the most recent test (conducted by Packetlabs in January 2026) found no significant findings.

Logging & monitoring

Infrastructure changes are recorded in cloud audit logs (retained at least 1 year).
Security events are monitored with alerting to key personnel.
Alia maintains version history of merchant configuration and assets, including who made each change.

Incident response & breach notification

Alia maintains a documented incident response plan that is tested annually.
Affected merchants are notified within 24 hours of Alia becoming aware of a personal-data breach; where Alia is the controller, the relevant supervisory authority is notified within 72 hours (GDPR Article 33).
Alia has had no incidents resulting in loss or unauthorized exposure of customer data in the last 3 years.

Business continuity & disaster recovery

Daily, automated, encrypted backups to a separate US region.
Recovery point objective (RPO) of approximately 1 day; recovery time objective (RTO) under 24 hours.
Business continuity and disaster recovery plans are tested at least annually.

Network & physical security

Default deny-all network posture; WAF on web-facing applications (via Cloudflare); IDS/IPS; firewall rulesets reviewed annually.
Alia owns no physical data centers; data-center physical security is handled by Google Cloud Platform.

Vendor & risk management

Third-party vendors are risk-tiered, and vendor compliance (SOC 2 / ISO / PCI attestations) is reviewed at least annually.
A formal risk-assessment process maintains a risk register reviewed at least annually.

Personnel security

Criminal background checks are performed on candidates.
Employees are bound by confidentiality/non-disclosure terms and acknowledge a Code of Conduct.
All personnel complete security awareness training at onboarding and annually.

AI & use of data

Alia does not train generative/LLM models on customer data, and does not train any model on customer contact PII (names, emails, phone numbers).
AI copy generation uses Google Gemini via Vertex AI within Google Cloud (our existing infrastructure provider, not a separate vendor) by prompting only; prompt content is not used to train Alia models.
Optimization features (Prism and Smart Testing) use classical statistics over aggregated behavioral data.
The one exception is Smart Offers, a feature a merchant explicitly enables (off by default, and obvious when turned on), which uses predictive models fit on that merchant’s de-identified visitor behavioral data (not contact PII).

Compliance

SOC 2: actively pursuing, with a target of Q3 2026; the security program is aligned to SOC 2.
CCPA and GDPR: practices aligned; not ISO 27001 certified.
PCI: out of scope (Alia does not handle payment-card data).
Shopify: the app holds Level 2 Protected Customer Data approval and implements Shopify’s required GDPR webhooks.

Contact

Questions or requests: help@alialearn.com.