← Back to Home

Security

AlgoCracked is built so that teams can practice, assess, and hire with confidence. Below is an honest summary of the controls the platform implements today. We describe only what the product actually does.

Status: AlgoCracked is not yet SOC 2 certified. See our Trust Center for our compliance roadmap and posture.

Enterprise SSO (SAML 2.0)

Require single sign-on through your own identity provider via Google Cloud Identity Platform. Users are provisioned into your organization just-in-time on first login, seat-checked automatically.

SCIM 2.0 provisioning

Automate user onboarding and offboarding. Deactivating a user in your IdP deprovisions their seat. Per-organization tokens are stored only as SHA-256 hashes and shown once.

Role-based access control

Four roles — owner, admin, manager, and member. Every mutating request is authorized server-side; the client is never trusted. Billing, SSO, and SCIM are restricted to owners and admins.

Tenant isolation

Organization data has no direct browser access. It is served only through server-mediated Admin-SDK routes scoped to your organization, and the client-facing database rules default-deny.

Immutable audit logs

Security-relevant actions — membership and role changes, invites, seat purchases, SSO/SCIM configuration — write to an append-only log that cannot be edited or deleted, readable by your admins.

Encryption

TLS for all data in transit and encryption at rest through the underlying Google Cloud infrastructure. We never store full payment-card numbers — card processing is delegated to our payment providers.

Sandboxed code execution

User-submitted code runs in a sandboxed third-party execution environment, never on our application servers. Grading runs server-side against hidden test sets.

Server-authoritative billing

All pricing and seat math is computed server-side; client-sent prices are rejected. Webhooks validate metadata and fulfill idempotently, and seat allocation is transactional to prevent oversubscription.

Sub-processors & data protection

We rely on a small set of infrastructure, payment, communication, code-execution, and AI providers. We maintain a sub-processor inventory and commit to notifying customers of changes. Processing of personal data on behalf of enterprise customers is governed by our Data Processing Addendum. See the Trust Center for these documents.

Reporting a vulnerability

If you believe you have found a security issue, please email security@algocracked.com. We appreciate responsible disclosure and will respond as quickly as we can.

Security review for your team?

We are happy to complete security questionnaires and walk your team through our architecture, SSO/SCIM setup, and data handling.

Last updated: July 2026