Security & Responsible Disclosure
Last updated: 29 June 2026 · Operated by VirtuVault Technologies EOOD
Security is foundational to Alpha Monnaies. This page describes the technical safeguards we apply to this website and the process for reporting a security issue to us. It covers the public website; the security posture of the Alpha Monnaies platform is described to clients under NDA during onboarding.
Our security posture
Alpha Monnaies follows OWASP best-practice guidance for public-facing web applications:
- HTTPS-only — enforced via HSTS with a 2-year max-age,
includeSubDomains, and preload eligibility. - Strict CSP — first-party scripts and styles only, plus narrowly allowlisted Google Fonts; no third-party advertising or analytics.
- Clickjacking protection —
X-Frame-Options: DENYplus CSPframe-ancestors 'none'. - MIME-sniff blocking —
X-Content-Type-Options: nosniff. - Permissions hardening — camera, microphone, geolocation, payment, and USB APIs denied by default via
Permissions-Policy. - Cross-origin isolation —
Cross-Origin-Opener-Policy: same-originandCross-Origin-Resource-Policy: same-originagainst Spectre-class attacks. - Email authentication — outbound mail from
alphamonnaies.iois signed with DKIM and aligned via SPF and DMARC, in line with current major-provider sender requirements. - No third-party trackers — no analytics, no behavioural tracking, no fingerprinting.
- No personal data in client storage —
localStorageis used only for your theme and language preferences.
Platform roadmap
Alpha Monnaies operates as a developer-layer technology provider, integrating Tier 1 banking and payment-institution partners through cascading, redundant connectivity. Production payment, remittance, account, and card services are delivered together with licensed partners, and Alpha Monnaies pursues an information-security programme aligned to ISO 27001 and SOC 2 Type II control objectives. The applicable regulatory frameworks include the European EMI / PI regime supervised in Bulgaria by the BNB and across the EU under PSD2, the Swiss framework supervised by FINMA, and the United Arab Emirates frameworks of the CBUAE and, where relevant, VARA. Regulated activities are carried out by Alpha Monnaies and/or its licensed partners under the licences applicable in each market.
Responsible disclosure
Found a security issue? Please report it privately to security@alphamonnaies.io. We will not pursue legal action against good-faith researchers who follow this policy.
What's in scope
alphamonnaies.ioand any subdomain we operate (currently the apex only).- Email addresses on the
alphamonnaies.iodomain.
What's out of scope
- Findings that require physical access to a user's device or social engineering of staff.
- Denial-of-service attacks or volumetric load tests of any kind.
- Issues in third-party services we use (e.g., Netlify, Google Workspace) — please report those directly to the relevant provider.
- Reports based purely on missing best-practice headers without a demonstrated impact.
- Spam, phishing, or social-engineering attempts impersonating Alpha Monnaies that originate outside our infrastructure (please report these to security@alphamonnaies.io for tracking, but they fall outside our remediation scope).
What to include in your report
- A clear, concise description of the issue and where it was found (URL, parameter, request).
- Steps to reproduce, with sample requests or a proof-of-concept where possible.
- Impact assessment from your perspective.
- Your name or handle if you would like to be credited; otherwise we will treat the report as anonymous.
Our commitments
- We aim to acknowledge receipt within 48 hours (Bulgaria/CET business days).
- We aim to provide an initial triage assessment within 5 business days.
- We will keep you reasonably informed of progress until the issue is resolved.
- We will publicly credit you, with your permission, once a fix is deployed.
Safe harbour
Provided that your testing is consistent with this policy, follows applicable law, and is limited to in-scope assets, VirtuVault Technologies EOOD will:
- Consider your activity authorised, notwithstanding Section 4 (Acceptable use) of the Terms & Conditions.
- Not bring or support a private legal action against you in connection with that testing.
- Work with you in good faith to understand and resolve the issue quickly.
Safe harbour does not apply to testing that violates third-party rights, accesses or copies third-party data, or causes service degradation.
Security contact
VirtuVault Technologies EOOD — Security Team
49A Bulgaria Blvd, fl. 1, Triaditsa, Sofia 1404, Bulgaria
Email: security@alphamonnaies.io
Machine-readable: /.well-known/security.txt