Legal

Security

How Aloha secures your data. We're an indie project — no SOC 2, no compliance team. Here's what actually happens.

Last updated · April 16, 2026Something unclear? Write us

Who runs this

Aloha is operated by a single person in Bengaluru, India. There is no security team to forward your questionnaire to — the founder handles every request personally. That keeps the chain short, and keeps the commitments below truthful.

Infrastructure

Aloha runs on Amazon Web Services in us-east-1 (N. Virginia). Services deploy across multiple availability zones. Automated encrypted database snapshots run hourly; point-in-time recovery is available for the last 30 days.

Edge routing and DDoS protection are provided by Cloudflare, which terminates TLS 1.3 at the edge.

We don't offer EU-resident hosting today. For EU/UK customers, data transfers are covered by Standard Contractual Clauses and the UK IDTA — see the DPA.

Encryption

In transit. All external traffic is served over TLS 1.3. TLS 1.1 and below are disabled. HSTS is enabled with preload.

At rest. Managed databases and object storage use AES-256 encryption via AWS KMS.

Secrets. Platform secrets (OAuth tokens, webhook keys) are encrypted with a key rotated on a periodic schedule. Tokens for the social networks you connect are encrypted per-workspace, so a single compromised record can't unlock another customer's connections.

Access controls

Production access is restricted to the founder. Every access path requires MFA, and administrative sessions are logged.

No Aloha operator accesses Customer Data unless required to support a specific ticket you've filed or to investigate a security incident. That access is logged and available on request.

Application security

  • Dependency scanning. Dependabot runs on every PR; critical CVEs are patched as soon as a fix is available.
  • Secret scanning. Pushes containing secrets are blocked at the source host.
  • Code review. All changes to authentication, billing, and customer-data paths go through a self-review checklist before deploy.

We do not run an external third-party penetration test today. If that becomes a blocker for your vendor review, we'd rather say so than pretend otherwise.

Business continuity

  • Backups. Hourly database snapshots, daily full backups retained in a separate AWS account.
  • Availability. Best-effort. A live status page is coming soon. If something breaks, we'll post about it publicly and email affected workspaces.

Compliance

  • No formal certifications. No SOC 2, no ISO 27001, no HIPAA, no PCI DSS. We follow the practices those frameworks describe; there is no attestation letter to send you.
  • GDPR / UK GDPR. A standard DPA is available for signing. Transfers out of the EU/UK rely on Standard Contractual Clauses and the UK IDTA.
  • CCPA. Covered by the privacy policy.

Subprocessors

Current subprocessor list

| Subprocessor | Purpose | Region | | --- | --- | --- | | Amazon Web Services | Hosting, storage, compute | US | | Cloudflare | CDN, DDoS protection, image processing | Global edge | | Vercel | Application hosting, edge runtime | Global edge | | Stripe / Polar | Payment processing | US, EU | | Postmark | Transactional email | US | | Upstash (QStash) | Scheduled job delivery | US | | AI inference providers | Third-party model inference powering Muse and voice features; specific providers named in the DPA | US, EU |

Material changes to this list are noted on the changelog and reflected in the privacy policy's "last updated" date.

Vulnerability disclosure

If you find a vulnerability, please report it privately to security@usealoha.app.

What we promise:

  • We'll acknowledge receipt within 72 hours.
  • We won't pursue legal action against good-faith research that stays within our scope and respects user data.
  • We'll credit you publicly with your permission.

We don't run a paid bounty programme today.

Out of scope: social engineering, denial-of-service attacks, physical access attempts, and vulnerabilities in third-party services we don't control.

Incident response

If a security incident affects Customer Data, we'll notify affected customers within 72 hours of awareness, per the DPA. Notifications include what we know, what we don't yet know, and what we're doing about it.

Contact