Are you a trainer, consultant, or thought leader scaling your expertise beyond the room? → Explore AhaPlay for Creators

    Version 2.0 — 2 May 2026

    Security at AhaPlay

    Your data. Protected at every layer.
    Version 2.0 · 2 May 2026

    ISO 27001:2022 Certified
    EU Data Residency
    GDPR Compliant

    ISO/IEC 27001:2022

    Active
    Certificate Number
    ISMS/262177/BG
    Standard
    ISO/IEC 27001:2022
    Issuing Body
    CSB Ltd.
    Valid From
    19 January 2026
    Valid Until
    18 January 2029
    Scope
    Information Security Management System for the AhaPlay platform
    Download Certificate
    ✅ Certified: AhaPlay's Information Security Management System (ISMS) has been independently audited and certified to ISO/IEC 27001:2022 by CSB Ltd., covering all aspects of platform development, operations, and data handling.

    AhaPlay maintains ISO/IEC 27001:2022 certification (certificate number ISMS/262177/BG, issued by CSB Ltd., valid from 19 January 2026 to 18 January 2029) covering the Information Security Management System for the AhaPlay platform. The ISMS has been independently audited and certified by CSB Ltd. covering all aspects of platform development, operations, and data handling. A current certificate is available on request to security@ahaplay.com.

    AhaPlay operates in compliance with the EU GDPR (Regulation 2016/679), the UK GDPR and Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). AhaPlay maintains EU data residency for customer data at rest, with all primary processing in AWS eu-central-1 (Frankfurt). Sub-processors (Section 9) maintain their own SOC 2 Type II, ISO 27001, or equivalent certifications, with copies available on request to enterprise Customer Organisations under applicable confidentiality undertakings.

    Framework
    ISO 27001:2022
    Status
    ✅ Certified
    Details
    ISMS/262177/BG — valid through Jan 2029
    Framework
    EU GDPR
    Status
    ✅ Compliant
    Details
    Regulation 2016/679 — EU data residency
    Framework
    UK GDPR
    Status
    ✅ Compliant
    Details
    Data Protection Act 2018
    Framework
    PECR
    Status
    ✅ Compliant
    Details
    Cookie consent, electronic communications
    Framework
    SOC 2 Type II
    Status
    ✅ Via sub-processors
    Details
    AWS and other sub-processors certified

    2. Data Processing Agreements

    AhaPlay provides GDPR-compliant Data Processing Agreements (DPAs) to enterprise Customer Organisations. The AhaPlay DPA covers:

    • Scope and purpose of personal data processing
    • Sub-processor list and the 30-day advance notification procedure for material sub-processor changes (Section 9, and Section 10.6 of the Terms of Service)
    • Technical and organisational security measures (TOMs) described in this Security Policy
    • Data breach notification obligations under Articles 33 and 34 GDPR, including the 72-hour regulatory notification commitment
    • Data deletion and return procedures upon termination
    • Customer Organisation audit rights, including the right to receive applicable certifications, audit summaries, and security questionnaire responses on reasonable request

    3. Infrastructure Security

    AhaPlay is built on AWS infrastructure with all customer data at rest stored in AWS eu-central-1 (Frankfurt, Germany). The primary infrastructure components are:

    Component
    Application compute
    Service
    AWS ECS Fargate
    Purpose
    Containerised platform workloads
    Component
    Relational database
    Service
    AWS RDS (PostgreSQL)
    Purpose
    Primary data store, encrypted
    Component
    File storage
    Service
    AWS S3
    Purpose
    Encrypted object storage
    Component
    Content delivery
    Service
    AWS CloudFront
    Purpose
    Static assets only — no personal data cached at edge
    Component
    DNS
    Service
    AWS Route 53
    Purpose
    Managed DNS
    Component
    Monitoring & logging
    Service
    AWS CloudWatch
    Purpose
    Metrics, logs, alerts
    Component
    Key management
    Service
    AWS KMS
    Purpose
    Cryptographic key custody and rotation
    Component
    Secrets management
    Service
    AWS Secrets Manager
    Purpose
    Production secrets and API credentials
    Component
    In-memory caching
    Service
    Self-hosted KeyDB on AWS
    Purpose
    Low-latency caching

    All AWS services used are within the eu-central-1 region for primary processing, with cross-region replication to a secondary EU region for disaster recovery purposes.

    ℹ️ EU Data Residency: All customer data at rest is stored in EU data centres (Frankfurt, Germany). Edge caching via CloudFront is limited to static assets only — no personal data is cached at the edge.

    Environment Separation

    • Production, staging, and development environments are fully isolated with separate AWS accounts or VPC boundaries
    • Separate database credentials per environment
    • Environment-specific deployment pipelines
    • Production secrets managed exclusively via AWS Secrets Manager — never stored in source code repositories
    • Deployment pipelines enforce environment-specific configurations and prevent cross-environment secret leakage

    4. Encryption

    In Transit

    • All external connections enforce TLS 1.2 minimum with TLS 1.3 preferred (HTTPS only, HSTS enabled)
    • Certificate management automated via AWS Certificate Manager (ACM)
    • API-to-database connections encrypted via TLS
    • Internal service-to-service communication within the AWS VPC uses encrypted channels

    At Rest

    • All database storage encrypted using AES-256 via AWS RDS encryption with AWS KMS-managed keys
    • File storage in AWS S3 uses server-side encryption (SSE) with AWS KMS-managed keys
    • Backup volumes encrypted with AES-256 using separate AWS KMS keys from production data
    • User passwords hashed using BCrypt (cost factor 10 or higher) and never stored in plain text

    Key Management

    • All encryption keys managed via AWS KMS with automated key rotation per AWS schedules
    • API secrets, third-party tokens, and operational credentials stored in AWS Secrets Manager with access restricted by IAM policy
    • Encryption keys for backup data kept separate from production-data keys

    5. Network Security

    • Web Application Firewall via AWS WAF configured with OWASP rule sets
    • DDoS protection via AWS Shield Standard (included with AWS services), augmented by AWS WAF rate-limiting rules
    • Rate limiting enforced on all API endpoints, both per-user and per-endpoint
    • IP allowlisting available for enterprise Customer Organisations on request
    • The production database (AWS RDS) is not publicly accessible and is reachable only from within the AWS VPC private subnets
    • Internal administrative access requires a self-hosted WireGuard VPN on EC2 with cryptographic key authentication, restricted to authorised AhaPlay personnel
    • Real-time traffic anomaly detection and alerting via AWS CloudWatch with automated alert routing to the on-call security team

    6. Backups & Disaster Recovery

    Measure
    Backup method
    Detail
    AWS RDS automated snapshots with point-in-time recovery
    Measure
    Backup frequency
    Detail
    Daily automated backups
    Measure
    Backup retention
    Detail
    30 days rolling
    Measure
    Backup encryption
    Detail
    AES-256 with AWS KMS keys separate from production
    Measure
    Backup location
    Detail
    Cross-AZ within eu-central-1, plus cross-region replication to a secondary EU region for DR
    Measure
    RTO (Recovery Time)
    Detail
    < 4 hours
    Measure
    RPO (Recovery Point)
    Detail
    < 1 hour
    Measure
    DR testing
    Detail
    Annual disaster recovery drills, documented and incorporated into the ISMS continuous improvement cycle

    7. Application Security

    Authentication & Access Control

    • Email and password authentication with BCrypt password hashing
    • Magic-link (passwordless) authentication
    • SAML 2.0 single sign-on for enterprise Customer Organisations
    • Multi-factor authentication (MFA) required for administrative access and available for all User Accounts
    • Role-based access control (RBAC) enforced at both application and database layers, with roles including Platform Administrator, Workspace Administrator, Facilitator, Programme Member, and Participant
    • Session tokens use JSON Web Tokens (JWT) with configurable expiry and immediate revocability
    • Administrative impersonation of User Accounts is logged in immutable audit trails, with notification to the affected Workspace Administrator where reasonably practicable (Privacy Policy §5.3, Terms of Service §10.9)

    Secure Development

    • Peer code review through the pull request model for all code changes
    • Continuous automated dependency vulnerability scanning via Dependabot and npm audit equivalents
    • Static code analysis integrated into the CI/CD pipeline
    • OWASP Top 10 mitigation as a baseline requirement for all production code
    • Annual third-party penetration testing, with summary reports available to enterprise Customer Organisations on request under confidentiality
    • Responsible disclosure programme for security researchers (Section 12)

    API Security

    • Row-Level Security (RLS) enforced at the database layer to ensure tenant isolation between Workspaces
    • Input validation and sanitisation applied at all API endpoints
    • CORS policies restrict cross-origin requests
    • Per-user and per-endpoint rate limiting prevents abuse
    • Request logging and anomaly detection route alerts to the security team via AWS CloudWatch

    8. AI Security

    🔒 Key commitment: AhaPlay does not use Customer Content in identifiable form to train, fine-tune, optimise, or develop AI or machine-learning systems without the express prior consent of the applicable Customer Organisation. Contractual safeguards with AI sub-processors prohibit use of submitted Customer Content for training their general-purpose models.

    AI Provider Agreements

    Provider
    OpenAI
    Use Case
    Programme generation, AI-assisted chat & support
    Data Retention
    Zero retention (Enterprise API)
    Training on Data
    ❌ Contractually prohibited
    Provider
    Anthropic
    Use Case
    Programme generation, AI-assisted chat & support
    Data Retention
    Zero retention (Enterprise API)
    Training on Data
    ❌ Contractually prohibited
    Provider
    LangSmith (LangChain)
    Use Case
    AI execution tracing & quality monitoring (anonymised)
    Data Retention
    Up to 90 days, anonymised
    Training on Data
    ❌ Never

    AI Data Handling

    • AI conversation data retained for 7 days after the conversation ends, then auto-deleted (Privacy Policy §3.7)
    • Uploaded documents (e.g. PDFs) processed in memory by the AI provider; AhaPlay-side copies deleted after 7 days
    • No User Account identifiers, email addresses, or account credentials are sent to AI providers — only content the user types into AI-assisted features (goals, team context, uploaded documents, organisation name)
    • AI outputs reviewed and filtered before display in the Platform
    • Prompt injection mitigation controls in place and continuously updated

    9. Sub-Processors

    AhaPlay engages the following sub-processors to deliver the Platform. All are bound by Data Processing Agreements complying with Article 28 GDPR:

    Sub-Processor
    Amazon Web Services (AWS)
    Purpose
    Compute (ECS Fargate), database (RDS), storage (S3), CDN (CloudFront), DNS (Route 53), monitoring (CloudWatch), key management (KMS), secrets (Secrets Manager)
    Location
    EU — eu-central-1 (Frankfurt)
    Transfer Mechanism
    Intra-EU — no transfer mechanism required
    Sub-Processor
    SendGrid (Twilio)
    Purpose
    Transactional email delivery
    Location
    US
    Transfer Mechanism
    Twilio DPA + SCCs
    Sub-Processor
    Sentry
    Purpose
    Error monitoring & crash reporting
    Location
    US
    Transfer Mechanism
    SCCs
    Sub-Processor
    LangSmith (LangChain)
    Purpose
    AI execution tracing & quality monitoring (anonymised)
    Location
    US
    Transfer Mechanism
    SCCs
    Sub-Processor
    OpenAI
    Purpose
    AI language model processing
    Location
    US
    Transfer Mechanism
    OpenAI DPA + SCCs (zero retention)
    Sub-Processor
    Anthropic
    Purpose
    AI language model processing
    Location
    US
    Transfer Mechanism
    Anthropic DPA + SCCs (zero retention)
    Sub-Processor
    Jitsi / 8×8 (JaaS)
    Purpose
    Video conferencing infrastructure
    Location
    US / Cloud
    Transfer Mechanism
    SCCs
    Sub-Processor
    Hotjar (Contentsquare)
    Purpose
    Heatmap & session-replay analytics (platform-only, consent-gated)
    Location
    EU (Malta)
    Transfer Mechanism
    Intra-EU
    Sub-Processor
    Synthesia
    Purpose
    AI video generation
    Location
    UK
    Transfer Mechanism
    UK Adequacy Decision
    Sub-Processor
    Tavily
    Purpose
    Web search for AI features
    Location
    US
    Transfer Mechanism
    SCCs
    Sub-Processor
    Google Cloud / Google Workspace
    Purpose
    Google Calendar integration & Pub/Sub
    Location
    EU / US
    Transfer Mechanism
    Google DPA + SCCs
    ℹ️ Sub-processor changes: Customer Organisations are notified at least 30 days before any material change to the sub-processor list (Terms of Service §10.6), with publication on the Platform, the Security Policy, the DPA, or a dedicated sub-processor page at ahaplay.com/sub-processors. Customer Organisations may object to a new or substituted sub-processor on reasonable grounds within the notice period; the parties will then cooperate in good faith to identify a mutually acceptable solution.

    10. Data Protection & Retention

    GDPR Rights

    AhaPlay supports all data subject rights under GDPR Articles 15–22 in accordance with the AhaPlay Privacy Policy. Data subject requests can be exercised via privacy@ahaplay.com or through in-platform account privacy settings.

    Right
    Access (Art. 15)
    How to Exercise
    Request a copy of your data via privacy@ahaplay.com
    Right
    Rectification (Art. 16)
    How to Exercise
    Update your profile or contact us
    Right
    Erasure (Art. 17)
    How to Exercise
    Delete account in settings or email us
    Right
    Restrict Processing (Art. 18)
    How to Exercise
    Contact privacy@ahaplay.com
    Right
    Data Portability (Art. 20)
    How to Exercise
    Request machine-readable export
    Right
    Object (Art. 21)
    How to Exercise
    Contact privacy@ahaplay.com
    Right
    Withdraw Consent (Art. 7)
    How to Exercise
    Manage preferences in account settings

    Retention Schedule

    The complete and authoritative retention schedule is set out in Section 7 of the Privacy Policy. Key retention periods include:

    Data Type
    User Account profile data
    Retention Period
    Duration of active User Account + 2 years after closure (dispute resolution)
    Data Type
    Session activity data
    Retention Period
    3 years from Session date, then anonymised or deleted
    Data Type
    AI conversation data
    Retention Period
    7 days from conversation end (automatic deletion)
    Data Type
    AI Programme results
    Retention Period
    1 year from creation
    Data Type
    AI execution traces (LangSmith)
    Retention Period
    90 days maximum
    Data Type
    Audit logs (Platform activity)
    Retention Period
    1 year, then anonymised
    Data Type
    Application logs (CloudWatch)
    Retention Period
    90 days
    Data Type
    Error reports (Sentry)
    Retention Period
    90 days
    Data Type
    Access logs (ALB & CloudFront)
    Retention Period
    90 days (lifecycle policy)
    Data Type
    Email delivery records (SendGrid)
    Retention Period
    90 days
    Data Type
    Support communications
    Retention Period
    Duration of active User Account + 2 years after closure
    Data Type
    Backups
    Retention Period
    90 days after deletion from production, encrypted and geographically separated within the EU
    ✅ Right to deletion: Workspace Administrators can delete User Accounts and Session data at any time through Platform administrative functionality. For full Workspace deletion, Customer Organisations should contact security@ahaplay.com. Production data is removed within 30 days of a deletion request; backup data is removed within 90 days through encrypted overwrite and lifecycle policy. AhaPlay applies commercially reasonable technical and organisational measures to reduce the likelihood of re-identification of anonymised or aggregated data.

    11. Operational Security

    Incident Response

    • Documented Incident Response Plan aligned with ISO/IEC 27001 and incorporated into the ISMS
    • Severity classification (Critical / High / Medium / Low) with corresponding response procedures and escalation paths
    • Target initial response times for Customer-reported incidents set out in Section 2.4 of the Service Level Agreement (SLA)
    • Notification of the competent supervisory authority within 72 hours for confirmed personal data breaches likely to result in a risk to individuals' rights and freedoms (GDPR Art. 33), with notification to affected Customer Organisations and individuals where required (Art. 34)
    • Post-incident review and root cause analysis (RCA) for each incident, with lessons learned integrated into the ISMS continuous improvement cycle

    Monitoring & Logging

    • 24/7 uptime monitoring with automated alerting via AWS CloudWatch
    • Application performance monitoring (APM) covering response times, error rates, and resource utilisation
    • Security event logging with SIEM-ready log export
    • Immutable audit trails for administrative actions, including User Account impersonation
    • Anomaly detection on authentication events and API usage patterns
    • Audit trails of AhaPlay personnel access to Customer Workspaces, available to the applicable Customer Organisation on reasonable request (Terms of Service §10.9)

    Business Continuity

    • Documented Business Continuity Plan (BCP) covering critical Platform functions
    • Multi-region failover capability across AWS regions in the European Union
    • BCP reviewed annually and tested through annual disaster recovery drills
    • 99.9% monthly availability commitment for paid subscriptions, with measurement methodology, response targets, service credits, and exclusions set out in the applicable Service Level Agreement (SLA)

    People Security

    • Background checks for employees with access to production systems or customer data, subject to applicable Bulgarian and EU employment law
    • Security awareness training for all staff at onboarding and annually thereafter
    • Principle of least privilege enforced across all systems, with access granted on a need-to-know basis
    • Quarterly access reviews
    • Confidentiality agreements binding all team members and contractors covering customer data, security information, and AhaPlay's intellectual property

    12. Responsible Disclosure

    AhaPlay welcomes security research conducted in good faith. If you discover a security vulnerability in the Platform, please report it to security@ahaplay.com.

    • Acknowledgement of vulnerability reports within 24 hours
    • Resolution timeline provided within 5 business days
    • No legal action against security researchers who act in good faith, comply with applicable law, do not exfiltrate or destroy data beyond what is reasonably necessary to demonstrate the vulnerability, and provide AhaPlay a reasonable opportunity to remediate before public disclosure
    🛡️ Safe harbour: Good-faith research that respects the conditions above will not be met with legal action. We appreciate the work of the security community.

    13. Enterprise Documentation & Audit

    Upon reasonable request and subject to applicable confidentiality undertakings, AhaPlay makes available to enterprise Customer Organisations:

    • A current ISO/IEC 27001 certificate
    • Applicable surveillance audit summaries
    • A security overview document describing technical and organisational measures
    • Responses to standardised security questionnaires (such as SIG, CAIQ, or equivalent)

    AhaPlay is not obligated to permit on-site audits by Customer Organisations, but may accommodate reasonable security questionnaires and documentation requests consistent with industry standards.


    14. Contact

    For security questions, vulnerability reports, or compliance documentation requests:

    Security Team

    security@ahaplay.com

    Incident reports, vulnerability disclosures, compliance queries

    Privacy Contact

    privacy@ahaplay.com

    Data subject requests, DPA inquiries, GDPR questions

    Postal correspondence: AhaPlay Bulgaria VCC, Attn: Security Team, 5 Rozova Dolina Street, Floor 4, Lozenets District, Sofia 1421, Bulgaria.

    This Security Policy describes AhaPlay's technical, organisational, and operational security measures and is reviewed periodically and updated as required.

    Version 1.0 — 1 February 2025

    Version 2.0 — 2 May 2026

    © AhaPlay 2026. All rights reserved.

    AhaPlay Bulgaria VCC · UIC 208270875 · 5 Rozova Dolina Street, Floor 4, Lozenets District, Sofia 1421, Bulgaria · security@ahaplay.com

    Version 2.0 · 2 May 2026 · Governed by the laws of the Republic of Bulgaria

    Disputes: Courts of Sofia, Bulgaria | Mediation: Bulgarian Chamber of Commerce and Industry (BCCI)