Data Alchemy — Software IDP con AI
Back to blog
SecurityLoginMasterIAMZero TrustGDPRSSO

Security and authentication in Data Alchemy: why we chose LoginMaster

Data Alchemy · July 9, 2026 · 5 min read

Data Alchemy is usually talked about for its ease of use: you drop in a document, the AI understands it, and the data lands in your ERP within three seconds. But there's one thing that comes before all of that, and it rarely makes it into a demo: who gets in, and how.

The documents you trust us with — invoices, delivery notes, orders, contracts — are among a company's most sensitive data. That's why Data Alchemy's authentication isn't a module we hastily wrote ourselves, but a specialized service: LoginMaster, a European Identity and Access Management (IAM) platform.

Authentication is not convenience — it's security

In an Intelligent Document Processing (IDP) platform, access is the front door to everything: if that falls, it doesn't matter how accurate the AI model behind it is. A home-grown authentication system is almost always the weak link — poorly handled passwords, optional and forgotten 2FA, administrators who can reset other people's credentials, user data scattered everywhere.

Delegating identity to a specialized IAM platform means one thing: access security stops being an implementation detail and becomes a product, with its own threat model, audits and compliance.

What LoginMaster is

LoginMaster is an Italian IAM platform built for European organizations. It handles identity, authentication and access control for business applications, positioning itself as a European alternative to solutions such as Auth0, Okta or Azure AD.

Its defining trait is the Tenant-Cloud architecture: personal data never leaves the customer's Tenant. The cloud layer works exclusively on encrypted and pseudonymized data. As LoginMaster puts it, "not even the provider can access your users' data" — it's a technical impossibility, not merely a company policy.

A dedicated tenant for every client

Every Data Alchemy client gets its own tenant, with real cryptographic isolation:

  • >Unique cryptographic keys for each tenant, generated at creation time
  • >No shared or derived keys between tenants
  • >Compromising one tenant means zero impact on the others

This isn't a logical separation at the database level — it's a cryptographic one: different keys at each layer of the flow, so that compromising one never exposes the rest.

SSO with Microsoft Entra ID and Google Workspace

Thanks to LoginMaster, Data Alchemy supports Single Sign-On (SSO) with the two most widespread enterprise identity providers:

  • >Microsoft Entra ID (formerly Azure AD)
  • >Google Workspace

Enterprise users from Entra and Google Workspace are paired with native Data Alchemy users. In practice: people sign in with the corporate credentials they already use every day, with no separate passwords to distribute, rotate or forget. The convenience is there — but it's a consequence of the security model, not a trade-off against it.

Zero Trust: "never trust, always verify"

LoginMaster follows a Zero Trust model, summed up in one principle: no user, device or service is trusted by default. It rests on three pillars:

  1. >Explicit verification — every access is authenticated and authorized based on the user's identity and the project's policies, with MFA and dual-signature tokens at every layer of the flow.
  2. >Least privilege — each user gets only the permissions they need, with separation by tenant and by project.
  3. >Assume breach — incidents are assumed to happen: cryptographic isolation and access tracking contain their impact.

The dual-signature token deserves a note: it is "signed by both the Tenant and the Cloud". Neither party alone can issue a valid token.

Two-factor authentication, under the user's control

TOTP-based 2FA (compatible with apps like Google Authenticator) is configurable per project in three modes: disabled, optional or mandatory.

But one detail says a lot about the product's philosophy: no admin can reset a password, change an email address or disable 2FA on behalf of another user. Only the user themselves can perform those operations. It's an inconvenient choice for administrators and an excellent one for security: it eliminates, at the root, the simplest and most effective attack of all — social engineering the help desk.

Compliance and data sovereignty

LoginMaster builds its compliance on three stated frameworks: GDPR, NIS2 and ISO 27001. Because personal data stays on the customer's Tenant, GDPR compliance is by design, not an afterthought bolted on later. And because the infrastructure is European, it avoids the jurisdictional complications typical of providers subject to the US Cloud Act.

It's the same principle that guides us — if the topic interests you, we cover it at length in our article on why to choose a European IDP and data sovereignty.

In summary

AspectHow Data Alchemy handles it
Identity and accessDelegated to LoginMaster, a European IAM platform
Enterprise loginSSO with Microsoft Entra ID and Google Workspace
UsersEntra and Google Workspace users paired with native users
IsolationDedicated tenant per client, with unique cryptographic keys
Security modelZero Trust, dual-signature tokens (Tenant + Cloud)
Second factorTOTP, configurable per project; no admin-side resets
Personal dataNever leaves the customer's Tenant
ComplianceGDPR, NIS2, ISO 27001; European infrastructure

Easy and secure

Data Alchemy's promise is that document processing becomes invisible: no data entry, no templates, no waiting. But before a company can trust a piece of software with its invoices and contracts, convenience alone is not enough.

That's why we chose not to improvise on identity, and to rely on people who do security and IAM for a living. The result is an IDP that is as fast to use as it is rigorous about who gets in, from where, and with which permissions.


Want to see Data Alchemy on your own documents, with your own tenant and corporate SSO? Book a free demo. And if you're looking for a European IAM platform for your applications, take a look at LoginMaster.

Want to automate your company's documents?

Book a demo
LoginMaster: secure authentication | Data Alchemy