Security Policy

At AhaSlides, our users’ privacy and online security are our top priorities. We’ve taken all the necessary steps to ensure that your data (presentation content, attachments, personal information, participants’ response data, et. al) is kept safe at all times.

AhaSlides Pte Ltd, Unique Entity Number: 202009760N, is hereinafter referred to as “we”, “us”, “our” or “AhaSlides”. ”You” shall be interpreted as the person or entity who has signed up for an Account to use our Services or the persons who use our Services as a member of an Audience.

Access Control

All user data stored in AhaSlides is protected in accordance with our obligations in the AhaSlides Terms of Service, and access to such data by Authorised Personnel is based on the principle of least privilege. Only Authorised Personnel have direct access to AhaSlides’ production systems. Those who do have direct access to production systems are only permitted to view user data stored in AhaSlides in the aggregate, for troubleshooting purposes or as otherwise permitted in AhaSlides’ Privacy Policy.

AhaSlides maintains a list of Authorised Personnel with access to the production environment. These members undergo criminal background checks and are approved by AhaSlides’ Management. AhaSlides also maintain a list of personnel who are permitted to access AhaSlides code, as well as the development and staging environments. These lists are reviewed quarterly and upon role change.

Trained members of the AhaSlides’ Customer Success team also have case-specific, limited access to user data stored in AhaSlides through restricted access to customer support tools. Customer support team members are not authorised to review non-public user data stored in AhaSlides for customer support purposes without explicit permission by AhaSlides’ Engineering Management.

Upon role change or leaving the company, the production credentials of Authorized Personnel are deactivated, and their sessions are forcibly logged out. Thereafter, all such accounts are removed or changed.

Data Security

AhaSlides production services, user content, and data backups are hosted on Amazon Web Services platform (“AWS”). The physical servers are located in AWS’s data centres at two AWS regions:

As of this date, AWS (i) has certifications for compliance with ISO/IEC 27001:2013, 27017:2015 and 27018:2014, (ii) is certified as a PCI DSS 3.2 Level 1 Service Provider, and (iii) undergoes SOC 1, SOC 2 and SOC 3 audits (with semi-annual reports). Additional details about AWS’ compliance programs, including FedRAMP compliance and GDPR compliance, can be found on AWS’ website.

We do not offer customers the option of hosting AhaSlides on a private server, or to otherwise use AhaSlides on a separate infrastructure.

In the future, if we move our production services and user data, or any part of them, to a different country or a different cloud platform, we will give written notice to all of our signed up users 30 days in advance.

Security measures are taken to protect you and your data both for data at rest and data in transit.

Data at rest

User data is stored on Amazon RDS, where data drives on servers use full disk, industry-standard AES encryption with a unique encryption key for each server. File attachments to AhaSlides presentations are stored in Amazon S3 service. Each such attachment is assigned a unique link with an unguessable, cryptographically strong random component, and are only accessible using a secure HTTPS connection. Additional details on Amazon RDS Security can be found here. Additional details on Amazon S3 Security can be found here.

Data in transit

AhaSlides uses industry standard Transport Layer Security (“TLS”) to create a secure connection using 128-bit Advanced Encryption Standard (“AES”) encryption. This includes all data sent between the web (including the landing website, the Presenter web app, the Audience web app, and internal administrative tools) and the AhaSlides servers. There is no non-TLS option for connecting to AhaSlides. All connections are made securely over HTTPS.

Backups and Data Loss Prevention

Data is backed up continuously and we have an automatic failover system if the main system fails. We receive powerful and automatic protection through our database provider at Amazon RDS. Additional details on Amazon RDS Backup and Restore commitments can be found here.

User Password

We encrypt (hashed and salted) passwords using the PBKDF2 (with SHA512) algorithm to protect them from being harmful in the case of a breach. AhaSlides can never see your password and you can self-reset it by email. User session time-out is implemented meaning that a logged-in user will be automatically logged out if they are not active on the platform.

Payment Details

We use PCI-compliant payment processors Stripe and PayPal for encrypting and processing credit/debit card payments. We never see or handle credit/debit card information.

Security Incidents

We have in place and will maintain appropriate technical and organisational measures to protect personal data as well as other data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and against all other unlawful forms of processing (a “Security Incident”).

We have an incident management process to detect and handle Security Incidents which shall be reported to the Chief Technology Officer as soon as they are detected. This applies to AhaSlides employees and all processors that handle personal data. All Security Incidents are documented and evaluated internally and an action plan for each individual incident is made, including mitigatory actions.

Security Revision Schedule

This section shows how often AhaSlides conducts security revisions and conducts different types of tests.

ActivityFrequency
Staff security trainingAt beginning of employment
Revoke system, hardware and document accessAt end of employment
Ensures access levels for all systems and employees are correct and based on the principle of least privilegeOnce a year
Ensure all critical system libraries are up-to-dateContinuously
Unit and integration testsContinuously
External penetration testsOnce a year

Physical Security

Some parts of our offices share buildings with other companies. For that reason, all accesses to our offices are locked 24/7 and we require mandatory employee and visitor check-in at door using a Smart Key Security System with live QR Code. Additionally, visitors must check-in with our front desk and require an escort throughout the building at all times. CCTV covers entry and exit points 24/7 with logs made available to us internally.

AhaSlides’ production services are hosted on Amazon Web Services platform (“AWS”). The physical servers are located in AWS’ secure data centres as stated in section “Data Security” above.

Changelog

Have a question for us?

Get in touch. Email us at hi@ahaslides.com.