ISO/IEC 27001:2022
Active| Certificate Number | ISMS/262177/BG |
| Standard | ISO/IEC 27001:2022 |
| Issuing Body | CSB Ltd. |
| Valid From | 19 January 2026 |
| Valid Until | 18 January 2029 |
| Scope | Information Security Management System for the AhaPlay platform |
AhaPlay maintains ISO/IEC 27001:2022 certification (certificate number ISMS/262177/BG, issued by CSB Ltd., valid from 19 January 2026 to 18 January 2029) covering the Information Security Management System for the AhaPlay platform. The ISMS has been independently audited and certified by CSB Ltd. covering all aspects of platform development, operations, and data handling. A current certificate is available on request to security@ahaplay.com.
AhaPlay operates in compliance with the EU GDPR (Regulation 2016/679), the UK GDPR and Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). AhaPlay maintains EU data residency for customer data at rest, with all primary processing in AWS eu-central-1 (Frankfurt). Sub-processors (Section 9) maintain their own SOC 2 Type II, ISO 27001, or equivalent certifications, with copies available on request to enterprise Customer Organisations under applicable confidentiality undertakings.
| Framework | Status | Details |
|---|---|---|
| ISO 27001:2022 | ✅ Certified | ISMS/262177/BG — valid through Jan 2029 |
| EU GDPR | ✅ Compliant | Regulation 2016/679 — EU data residency |
| UK GDPR | ✅ Compliant | Data Protection Act 2018 |
| PECR | ✅ Compliant | Cookie consent, electronic communications |
| SOC 2 Type II | ✅ Via sub-processors | AWS and other sub-processors certified |
2. Data Processing Agreements
AhaPlay provides GDPR-compliant Data Processing Agreements (DPAs) to enterprise Customer Organisations. The AhaPlay DPA covers:
- Scope and purpose of personal data processing
- Sub-processor list and the 30-day advance notification procedure for material sub-processor changes (Section 9, and Section 10.6 of the Terms of Service)
- Technical and organisational security measures (TOMs) described in this Security Policy
- Data breach notification obligations under Articles 33 and 34 GDPR, including the 72-hour regulatory notification commitment
- Data deletion and return procedures upon termination
- Customer Organisation audit rights, including the right to receive applicable certifications, audit summaries, and security questionnaire responses on reasonable request
3. Infrastructure Security
AhaPlay is built on AWS infrastructure with all customer data at rest stored in AWS eu-central-1 (Frankfurt, Germany). The primary infrastructure components are:
| Component | Service | Purpose |
|---|---|---|
| Application compute | AWS ECS Fargate | Containerised platform workloads |
| Relational database | AWS RDS (PostgreSQL) | Primary data store, encrypted |
| File storage | AWS S3 | Encrypted object storage |
| Content delivery | AWS CloudFront | Static assets only — no personal data cached at edge |
| DNS | AWS Route 53 | Managed DNS |
| Monitoring & logging | AWS CloudWatch | Metrics, logs, alerts |
| Key management | AWS KMS | Cryptographic key custody and rotation |
| Secrets management | AWS Secrets Manager | Production secrets and API credentials |
| In-memory caching | Self-hosted KeyDB on AWS | Low-latency caching |
All AWS services used are within the eu-central-1 region for primary processing, with cross-region replication to a secondary EU region for disaster recovery purposes.
Environment Separation
- Production, staging, and development environments are fully isolated with separate AWS accounts or VPC boundaries
- Separate database credentials per environment
- Environment-specific deployment pipelines
- Production secrets managed exclusively via AWS Secrets Manager — never stored in source code repositories
- Deployment pipelines enforce environment-specific configurations and prevent cross-environment secret leakage
4. Encryption
In Transit
- All external connections enforce TLS 1.2 minimum with TLS 1.3 preferred (HTTPS only, HSTS enabled)
- Certificate management automated via AWS Certificate Manager (ACM)
- API-to-database connections encrypted via TLS
- Internal service-to-service communication within the AWS VPC uses encrypted channels
At Rest
- All database storage encrypted using AES-256 via AWS RDS encryption with AWS KMS-managed keys
- File storage in AWS S3 uses server-side encryption (SSE) with AWS KMS-managed keys
- Backup volumes encrypted with AES-256 using separate AWS KMS keys from production data
- User passwords hashed using BCrypt (cost factor 10 or higher) and never stored in plain text
Key Management
- All encryption keys managed via AWS KMS with automated key rotation per AWS schedules
- API secrets, third-party tokens, and operational credentials stored in AWS Secrets Manager with access restricted by IAM policy
- Encryption keys for backup data kept separate from production-data keys
5. Network Security
- Web Application Firewall via AWS WAF configured with OWASP rule sets
- DDoS protection via AWS Shield Standard (included with AWS services), augmented by AWS WAF rate-limiting rules
- Rate limiting enforced on all API endpoints, both per-user and per-endpoint
- IP allowlisting available for enterprise Customer Organisations on request
- The production database (AWS RDS) is not publicly accessible and is reachable only from within the AWS VPC private subnets
- Internal administrative access requires a self-hosted WireGuard VPN on EC2 with cryptographic key authentication, restricted to authorised AhaPlay personnel
- Real-time traffic anomaly detection and alerting via AWS CloudWatch with automated alert routing to the on-call security team
6. Backups & Disaster Recovery
| Measure | Detail |
|---|---|
| Backup method | AWS RDS automated snapshots with point-in-time recovery |
| Backup frequency | Daily automated backups |
| Backup retention | 30 days rolling |
| Backup encryption | AES-256 with AWS KMS keys separate from production |
| Backup location | Cross-AZ within eu-central-1, plus cross-region replication to a secondary EU region for DR |
| RTO (Recovery Time) | < 4 hours |
| RPO (Recovery Point) | < 1 hour |
| DR testing | Annual disaster recovery drills, documented and incorporated into the ISMS continuous improvement cycle |
7. Application Security
Authentication & Access Control
- Email and password authentication with BCrypt password hashing
- Magic-link (passwordless) authentication
- SAML 2.0 single sign-on for enterprise Customer Organisations
- Multi-factor authentication (MFA) required for administrative access and available for all User Accounts
- Role-based access control (RBAC) enforced at both application and database layers, with roles including Platform Administrator, Workspace Administrator, Facilitator, Programme Member, and Participant
- Session tokens use JSON Web Tokens (JWT) with configurable expiry and immediate revocability
- Administrative impersonation of User Accounts is logged in immutable audit trails, with notification to the affected Workspace Administrator where reasonably practicable (Privacy Policy §5.3, Terms of Service §10.9)
Secure Development
- Peer code review through the pull request model for all code changes
- Continuous automated dependency vulnerability scanning via Dependabot and npm audit equivalents
- Static code analysis integrated into the CI/CD pipeline
- OWASP Top 10 mitigation as a baseline requirement for all production code
- Annual third-party penetration testing, with summary reports available to enterprise Customer Organisations on request under confidentiality
- Responsible disclosure programme for security researchers (Section 12)
API Security
- Row-Level Security (RLS) enforced at the database layer to ensure tenant isolation between Workspaces
- Input validation and sanitisation applied at all API endpoints
- CORS policies restrict cross-origin requests
- Per-user and per-endpoint rate limiting prevents abuse
- Request logging and anomaly detection route alerts to the security team via AWS CloudWatch
8. AI Security
AI Provider Agreements
| Provider | Use Case | Data Retention | Training on Data |
|---|---|---|---|
| OpenAI | Programme generation, AI-assisted chat & support | Zero retention (Enterprise API) | ❌ Contractually prohibited |
| Anthropic | Programme generation, AI-assisted chat & support | Zero retention (Enterprise API) | ❌ Contractually prohibited |
| LangSmith (LangChain) | AI execution tracing & quality monitoring (anonymised) | Up to 90 days, anonymised | ❌ Never |
AI Data Handling
- AI conversation data retained for 7 days after the conversation ends, then auto-deleted (Privacy Policy §3.7)
- Uploaded documents (e.g. PDFs) processed in memory by the AI provider; AhaPlay-side copies deleted after 7 days
- No User Account identifiers, email addresses, or account credentials are sent to AI providers — only content the user types into AI-assisted features (goals, team context, uploaded documents, organisation name)
- AI outputs reviewed and filtered before display in the Platform
- Prompt injection mitigation controls in place and continuously updated
9. Sub-Processors
AhaPlay engages the following sub-processors to deliver the Platform. All are bound by Data Processing Agreements complying with Article 28 GDPR:
| Sub-Processor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Amazon Web Services (AWS) | Compute (ECS Fargate), database (RDS), storage (S3), CDN (CloudFront), DNS (Route 53), monitoring (CloudWatch), key management (KMS), secrets (Secrets Manager) | EU — eu-central-1 (Frankfurt) | Intra-EU — no transfer mechanism required |
| SendGrid (Twilio) | Transactional email delivery | US | Twilio DPA + SCCs |
| Sentry | Error monitoring & crash reporting | US | SCCs |
| LangSmith (LangChain) | AI execution tracing & quality monitoring (anonymised) | US | SCCs |
| OpenAI | AI language model processing | US | OpenAI DPA + SCCs (zero retention) |
| Anthropic | AI language model processing | US | Anthropic DPA + SCCs (zero retention) |
| Jitsi / 8×8 (JaaS) | Video conferencing infrastructure | US / Cloud | SCCs |
| Hotjar (Contentsquare) | Heatmap & session-replay analytics (platform-only, consent-gated) | EU (Malta) | Intra-EU |
| Synthesia | AI video generation | UK | UK Adequacy Decision |
| Tavily | Web search for AI features | US | SCCs |
| Google Cloud / Google Workspace | Google Calendar integration & Pub/Sub | EU / US | Google DPA + SCCs |
10. Data Protection & Retention
GDPR Rights
AhaPlay supports all data subject rights under GDPR Articles 15–22 in accordance with the AhaPlay Privacy Policy. Data subject requests can be exercised via privacy@ahaplay.com or through in-platform account privacy settings.
| Right | How to Exercise |
|---|---|
| Access (Art. 15) | Request a copy of your data via privacy@ahaplay.com |
| Rectification (Art. 16) | Update your profile or contact us |
| Erasure (Art. 17) | Delete account in settings or email us |
| Restrict Processing (Art. 18) | Contact privacy@ahaplay.com |
| Data Portability (Art. 20) | Request machine-readable export |
| Object (Art. 21) | Contact privacy@ahaplay.com |
| Withdraw Consent (Art. 7) | Manage preferences in account settings |
Retention Schedule
The complete and authoritative retention schedule is set out in Section 7 of the Privacy Policy. Key retention periods include:
| Data Type | Retention Period |
|---|---|
| User Account profile data | Duration of active User Account + 2 years after closure (dispute resolution) |
| Session activity data | 3 years from Session date, then anonymised or deleted |
| AI conversation data | 7 days from conversation end (automatic deletion) |
| AI Programme results | 1 year from creation |
| AI execution traces (LangSmith) | 90 days maximum |
| Audit logs (Platform activity) | 1 year, then anonymised |
| Application logs (CloudWatch) | 90 days |
| Error reports (Sentry) | 90 days |
| Access logs (ALB & CloudFront) | 90 days (lifecycle policy) |
| Email delivery records (SendGrid) | 90 days |
| Support communications | Duration of active User Account + 2 years after closure |
| Backups | 90 days after deletion from production, encrypted and geographically separated within the EU |
11. Operational Security
Incident Response
- Documented Incident Response Plan aligned with ISO/IEC 27001 and incorporated into the ISMS
- Severity classification (Critical / High / Medium / Low) with corresponding response procedures and escalation paths
- Target initial response times for Customer-reported incidents set out in Section 2.4 of the Service Level Agreement (SLA)
- Notification of the competent supervisory authority within 72 hours for confirmed personal data breaches likely to result in a risk to individuals' rights and freedoms (GDPR Art. 33), with notification to affected Customer Organisations and individuals where required (Art. 34)
- Post-incident review and root cause analysis (RCA) for each incident, with lessons learned integrated into the ISMS continuous improvement cycle
Monitoring & Logging
- 24/7 uptime monitoring with automated alerting via AWS CloudWatch
- Application performance monitoring (APM) covering response times, error rates, and resource utilisation
- Security event logging with SIEM-ready log export
- Immutable audit trails for administrative actions, including User Account impersonation
- Anomaly detection on authentication events and API usage patterns
- Audit trails of AhaPlay personnel access to Customer Workspaces, available to the applicable Customer Organisation on reasonable request (Terms of Service §10.9)
Business Continuity
- Documented Business Continuity Plan (BCP) covering critical Platform functions
- Multi-region failover capability across AWS regions in the European Union
- BCP reviewed annually and tested through annual disaster recovery drills
- 99.9% monthly availability commitment for paid subscriptions, with measurement methodology, response targets, service credits, and exclusions set out in the applicable Service Level Agreement (SLA)
People Security
- Background checks for employees with access to production systems or customer data, subject to applicable Bulgarian and EU employment law
- Security awareness training for all staff at onboarding and annually thereafter
- Principle of least privilege enforced across all systems, with access granted on a need-to-know basis
- Quarterly access reviews
- Confidentiality agreements binding all team members and contractors covering customer data, security information, and AhaPlay's intellectual property
12. Responsible Disclosure
AhaPlay welcomes security research conducted in good faith. If you discover a security vulnerability in the Platform, please report it to security@ahaplay.com.
- Acknowledgement of vulnerability reports within 24 hours
- Resolution timeline provided within 5 business days
- No legal action against security researchers who act in good faith, comply with applicable law, do not exfiltrate or destroy data beyond what is reasonably necessary to demonstrate the vulnerability, and provide AhaPlay a reasonable opportunity to remediate before public disclosure
13. Enterprise Documentation & Audit
Upon reasonable request and subject to applicable confidentiality undertakings, AhaPlay makes available to enterprise Customer Organisations:
- A current ISO/IEC 27001 certificate
- Applicable surveillance audit summaries
- A security overview document describing technical and organisational measures
- Responses to standardised security questionnaires (such as SIG, CAIQ, or equivalent)
AhaPlay is not obligated to permit on-site audits by Customer Organisations, but may accommodate reasonable security questionnaires and documentation requests consistent with industry standards.
14. Contact
For security questions, vulnerability reports, or compliance documentation requests:
Security Team
security@ahaplay.com
Incident reports, vulnerability disclosures, compliance queries
Privacy Contact
privacy@ahaplay.com
Data subject requests, DPA inquiries, GDPR questions
Postal correspondence: AhaPlay Bulgaria VCC, Attn: Security Team, 5 Rozova Dolina Street, Floor 4, Lozenets District, Sofia 1421, Bulgaria.
This Security Policy describes AhaPlay's technical, organisational, and operational security measures and is reviewed periodically and updated as required.
Version 1.0 — 1 February 2025
Version 2.0 — 2 May 2026
© AhaPlay 2026. All rights reserved.
AhaPlay Bulgaria VCC · UIC 208270875 · 5 Rozova Dolina Street, Floor 4, Lozenets District, Sofia 1421, Bulgaria · security@ahaplay.com
Version 2.0 · 2 May 2026 · Governed by the laws of the Republic of Bulgaria
Disputes: Courts of Sofia, Bulgaria | Mediation: Bulgarian Chamber of Commerce and Industry (BCCI)
