Sahha takes privacy and security of user data very seriously. We are committed to being a secure partner for your business. Please read our FAQ and contact us with any further questions you may have.
Where data is hosted?
Sahha uses AWS (Amazon Web Services) to store user data. AWS has multiple geographic storage locations. Currently, we choose to store all data in the
us-east-1 datacenter (North Virginia, USA).
If your business has requirements for data to be hosted in a particular geographic location (e.g: if specific data must be stored in AU), please contact us so we can coordinate with you.
How is data collected?
User data is passively collected via our Sahha SDK which lives inside of your mobile app. Apple and Google require users to consent to personal data being collected. This permission flow includes informing them of what data is collected, why it is needed, and how it will be used. We can assist you with the wording and design of these permission screens.
- Always inform your users of why you are asking for permission to capture sensor data.
- Encourage your users provide as much data as they feel comfortable with data permissions. The models perform better when more data is available for them to interpret.
What security processes do you have in place to protect the data i.e. are going penetration testing?
- The bulk of our profile data is stored in s3 and encrypted using SSE-S3.
- Each object is encrypted with a unique key and as an additional safeguard, this key is itself encrypted with a master key that is regularly rotated.
- Access to the s3 bucket is protected by restrictive IAM roles and access policies that prevent unauthorised access or exposure.
- All our services and databases sit within a VPC with the only public access through whitelisted IP addresses into a VPN with login or through the AWS console with logins and 2fa. This is the same for our testing and development cloud environments.
- Our API accesses our database with a limited permission user and only has access to the necessary tables / schemas to achieve it’s tasks.
- All writing of data to s3 is handled through an event bus so the API has no direct access to the buckets.
What are your data governance practices?
- We do not collect personally identifiable information such as name, address, email, or phone number.
- Our customers pass us an external id for each user, which we connect to an internal id for data handling.
- We do not have any direct associate with end users, therefore even in the case of a data breach it would be difficult for bad actors to identify our customers’ users.
Who are your customers that operate in a regulated environment?
- We have worked with Haleon (UK), Habit Health (NZ) and Shmoody (US).
- Each national jurisdiction has variances in data privacy laws.
- Sahha runs on AWS and Azure which offers us the resourcing and support required to easily transition between different regulatory environments.
In case of a data breach, Sahha has a breach response procedure in place to quickly minimize any potential negative outcomes.