Customer trust and data security are very key to everything we do at Aidah

The major security features

Product Security

Web Application Security

Additional Security Features

Product Security


Login Security

Aidah supports user authentication, user permission levels and activity trails to define the level of security within the application. Each user can Log in with their unique username and password with specific authorization and permission level, as controlled by the account administrator. Password complexity can be customized accordingly with your organizations environment. Authentication is established over HTTPS encrypted protocol and passwords are subsequently stored in a database that is encrypted.


Infrastructure Security

Aidah network, infrastructure and architecture have multiple protection layers that ensure the highest levels of security and control, which include:


Access Control

All customer data is considered highly sensitive and protected and access is least privilege. All of our servers within our Network are with Access Control Lists (ACL’s) that prevent unauthorized requests getting to our internal network.
Strict Firewall rules restrict access to vulnerable ports to ensure secure and limited access to production environment.


Development, Patch and Configuration Management

All changes to the production system, be they code or system configuration changes, require review prior to deployment to the production environment.
All system changes are peer reviewed and patches are deployed as relevant to their level of security and stability impact, with critical patches able to be deployed well within 24 hours of availability as appropriate.


Network Security

Aidah uses firewall services for monitoring and alerting on abnormal behavior or system configuration changes.
All communications with the outside world passes through access-list enabled routers. Only HTTP and HTTPS protocols are allowed to into or out of Aidahs’ service network.


Logical security

Aidah ensure strict privacy controls to ensure data privacy and prevent one customer from accessing another customer’s data. Customer data is logically protected and segregated in a way that ensures only authorized entities are able to access it. Access goals mechanisms have been implemented to efficiently support this goal.

Web Application Security

The main service that Aidah protects is live chat. All visitors ‘tagged’ with Aidah tracking code and the chat sessions between chat agent and visitors are monitored.
The Application Service Provider (ASP) and Software as a Service (Saas) models provide maximum flexibility for the broadest swatch of potential customers worldwide.
Data transferred to and fro from the web applications are secured with web application firewall.
Chat sessions are fully encrypted with 256bit encryption.
Restricted redirection- Web domain has been designed to restrict the customers being redirected to malicious domains.
IP restrictions- List of IPs is predefined so that can be blocked to prevent unauthorized users.


Data and Encryption Policies

All changes to the production system, be they code or system configuration changes, require review prior to deployment to the production environment.All system changes are peer reviewed and patches are deployed as relevant to their level of security and stability impact, with critical patches able to be deployed well within 24 hours of availability as appropriate.


Data Collection

As an Application Service Provider, unless configured otherwise, Aidah collects Information such as Chat and messaging transcripts and information related to browsing on behalf of the brand.
Automatic information such as web browser and usage information, IP address, operating system, browser types, page view tallies, page browsing information and type of device used are also collected.
Personal information such as name and contact information, surveys, and transcripts with Aidah are collected as a part of visit to our website and use our apps.


Encryption In-transit

Aidah’s end-to-end encryption ensures that only communicating users can read what is sent, and nobody in between, even Aidah. Messages are secured with a lock, and only the recipient and sender have the special key needed to unlock and read the message.
The cryptographic keys used to encrypt and decrypt the messages are stored exclusively on the endpoints.


Encryption At-rest (Data within Aidah)

Aidah uses a Security Hash Algorithm (SHA2) for all password entries.
Aidah stores the customers’ sensitive data such as Name, Email, Phone Numbers, Remarks, and chat transcripts in MySQL Database.
MySQL enables Data-at-rest encryption by encrypting the physical files of the database. Data is encrypted automatically, in real time, prior to writing to storage and decrypted when read from storage. As a result, hackers and malicious users are unable to read sensitive data from tablespace files, database backups or disks.


Encryption Keys

Aidah has adopted a Centralized Key Management Solution by Azure Key Vault which enforces clear separation of key from the encrypted data. The encryption, key management, and decryption process is inspected and verified internally by Aidah.
Key Management Service is compliant with current standards such as NIST and FIPS.

Datacenter

Aidah takes security as a top priority while dealing with Customers’ data. We strive to implement robust and flexible security processes and practices to keep your data safe. No matter if it’s the client logging in or a visitor starting a chat the data exchanged is encrypted in transit and at rest. A multi-layered approach is implemented by Aidah to support its People, Process, and Technological security requirements.


Secure and trusted service providers

Aidah services are hosted in advanced data center operated by a recognized industry leader MICROSOFT AZURE. Aidah has selected this vendor based on their proven leadership in hosting services for high-capacity businesses. Our vendor adheres to the highest industry standards of quality, security and reliability. Their commitment enables Aidah to deliver 24-hour service, 365 days a year to our customers.


Security

Azure meets a broad set of international as well as regional and industry-specific compliance standards, such as ISO 27001/27002:2013, FedRAMP, SOC 1 and SOC 2, CSA, FIPS 140-2, HIPAA,ISO/IEC 27018, PCI-DSS, UK G-Cloud.


Business Continuity and Data Backup

Azure ensures that the customers can balance the need to store backups at multiple locations in case of a disaster with the need to keep their data out of certain geographies. Microsoft provides clear data maps and geographic boundary information for all datacenters.


Physical and Environmental Security

Azure runs in geographically distributed Microsoft facilities, sharing space and utilities with other Microsoft Online Services. Each facility is designed to run 24x7x365 and employs various measures to help protect operations from power failure, physical intrusion, and network outages. These datacenters comply with industry standards (such as ISO 27001) for physical security and availability. They are managed, monitored, and administered by Microsoft operations personnel.


Security Awareness and Confidentiality

Security awareness and customer data access policies are covered during employee onboarding as appropriate to the role and employees are updated as relevant policies or practices change. Employees also sign a Confidential Information and Intellectual property Agreement.
In the event that a security policy is breached by an employee, Aidah reserves the right to determine the appropriate response, which may include termination.


Vetting

All employees undergo an extensive interview process before hiring. Employees with direct access to the production environment undergo a criminal background check. Other employees may undergo a check depending on their role (academic for legal roles, credit for finance, etc).


Incidents and Response

Aidah have implemented a formal procedure to deal with security events and have made the staff aware on our policies.
When security events are detected they are escalated to the respective response team, Response time to address the event is 2 hours. We make sure to notify the supervisory authority of Personal Data Breach within 72 hours of becoming aware of the breach.

Regulatory Compliance

Aidah have adopted industry-best security practices to meet regulatory and security compliance requirements.

SOC2 TRUST AND SERVICE PRINCIPLES
Aidah is actively working on developing Policies and Procedures to meet the requirements for SOC2 Compliance.

Aidah Bug Researcher Program

AND IT’S NOT THE END

Because our customer's security is the number one priority, we’re working with security researchers from worldwide to make our customers more secure. Security researchers play an integral role by discovering vulnerabilities in the software development process.

The Aidah Bug Researcher Program is to encourage researchers to report about vulnerabilities they’ve discovered to our security and developing team, we reward researchers for submitting their findings. If you’re security researcher and have found a vulnerability in our service please report it to

support@aidah.chat

Aidah is pleased to recognize the security researchers who have helped make Aidah safer by finding and reporting security vulnerabilities.