No formal certifications
No SOC 2, ISO 27001, HIPAA, or PCI attestation. We follow the practices these frameworks describe, but there's no auditor's letter to send you.
Aloha is an indie project. There's no SOC 2 badge to show and no compliance team to forward your questionnaire to. Here's what actually happens to your data — encryption, hosting, third parties, and how to reach me if something breaks.
Encryption
TLS 1.3 · AES-256
In transit and at rest, via managed cloud keys
Certifications
None yet
Indie project, no SOC 2 or ISO 27001 — we'll say so when that changes
Hosting
AWS · US
us-east-1. SCCs cover EU/UK transfers.
Access
MFA + audit log
Just one operator today — least-privilege is trivial to enforce
Honest about the gaps
If a vendor questionnaire requires any of the below, Aloha probably isn't the right fit today. We'd rather say so up front.
No formal certifications
No SOC 2, ISO 27001, HIPAA, or PCI attestation. We follow the practices these frameworks describe, but there's no auditor's letter to send you.
Single-region hosting
Everything runs in AWS us-east-1. We don't offer EU-resident data today; if that's a hard requirement for your organisation, we aren't the right tool yet.
No 24/7 on-call rotation
It's one person. Incident response is best-effort and transparent — we tell you what happened and when, without pretending there's a war room.
No bounty programme
We'll thank good-faith security researchers publicly and won't pursue legal action — but there's no paid bounty on offer today.
Subprocessors
If this list changes materially, the privacy policy's "last updated" date moves and the change is noted on the changelog.
Data transfers
Your data lives in AWS us-east-1. For customers in the EU and UK, the transfer is covered by Standard Contractual Clauses and the UK IDTA — linked from the DPA.