Ayra AI
|Docs

Data Security

Last Updated: January 1, 2025

Introduction

Data security is foundational to Ayra's platform. We handle sensitive business data, customer conversations, and personal information, making robust security essential. This document details our comprehensive security measures, your security responsibilities, and best practices for protecting data.

Our security program is designed to:

  • Protect data confidentiality, integrity, and availability
  • Prevent unauthorized access and data breaches
  • Comply with industry standards and regulations
  • Maintain customer trust through transparency and accountability

1. Security Certifications and Compliance

1.1 SOC 2 Type II Compliance

Ayra maintains SOC 2 Type II certification, demonstrating our commitment to:

Security

Protection against unauthorized access

Availability

System uptime and performance

Processing Integrity

Accurate and timely processing

Confidentiality

Protection of confidential information

What This Means:

  • Independent auditors annually assess our security controls
  • We meet rigorous security standards
  • Our controls are operating effectively over time
  • Reports available to customers under NDA

1.2 GDPR Compliance

Our security measures support GDPR requirements:

  • Data encryption (Articles 32, 34)
  • Access controls and confidentiality
  • Ability to restore data availability
  • Regular testing of security measures
  • Incident response procedures

See our GDPR Compliance documentation for details.

1.3 HIPAA Compliance (Available for Applicable Customers)

For customers processing Protected Health Information (PHI):

Technical Safeguards

  • Encryption of PHI at rest and in transit
  • Access controls and authentication
  • Audit logging
  • Automatic logoff
  • Encryption key management

Administrative Safeguards

  • Business Associate Agreement (BAA)
  • Security training for staff
  • Risk assessments
  • Incident response procedures

Physical Safeguards

  • Secure data centers with controlled access
  • Environmental controls
  • Device and media controls

Availability: HIPAA-compliant configuration available on Business and Enterprise plans with signed BAA.

1.4 Other Compliance Frameworks

  • ISO 27001 (In Progress): We are pursuing ISO 27001 certification for Information Security Management.
  • PCI DSS: Payment processing through PCI DSS-compliant providers (Stripe).
  • State Privacy Laws: Compliance with CCPA, CPRA, and other U.S. state privacy laws.

2. Infrastructure Security

2.1 Cloud Infrastructure

Primary Cloud Providers:

  • Amazon Web Services (AWS)
  • Google Cloud Platform (GCP)

Why These Providers:

  • Industry-leading security
  • Multiple compliance certifications (SOC 2, ISO 27001, PCI DSS, HIPAA)
  • Global infrastructure with redundancy
  • Advanced security services

Data Center Security:

  • Physical security (guards, surveillance, access controls)
  • Environmental controls (power, cooling, fire suppression)
  • Network security and DDoS protection
  • Compliance certifications

2.2 Network Security

Perimeter Security:

  • Web Application Firewall (WAF) blocking malicious traffic
  • DDoS protection at multiple layers
  • Intrusion Detection and Prevention Systems (IDS/IPS)
  • Rate limiting and traffic throttling

Network Segmentation:

  • Separate networks for production, staging, and development
  • Database isolation from public internet
  • Jump boxes for administrative access
  • Zero-trust network architecture principles

Secure Communications:

  • All external communications use TLS 1.2+ (HTTPS)
  • Internal service-to-service encryption
  • VPN access for remote administration
  • Certificate management and rotation

2.3 Redundancy and High Availability

Geographic Distribution

  • Multiple availability zones
  • Cross-region replication for critical data
  • Automatic failover to healthy regions

Load Balancing

  • Distribute traffic across multiple servers
  • Health checks and automatic removal of unhealthy instances
  • Auto-scaling based on demand

Database Redundancy

  • Primary-replica configuration
  • Automated backups every 6 hours
  • Point-in-time recovery capability
  • Cross-region backup replication

Disaster Recovery

  • Recovery Time Objective (RTO): 4 hours
  • Recovery Point Objective (RPO): 6 hours
  • Regular disaster recovery drills
  • Documented recovery procedures

3. Data Encryption

3.1 Encryption in Transit

External Communications:

  • TLS 1.2+ for all web traffic (HTTPS)
  • Perfect Forward Secrecy (PFS)
  • Strong cipher suites only (no weak ciphers)
  • HSTS (HTTP Strict Transport Security) enforced

API Communications:

  • TLS 1.2+ required for all API calls
  • Certificate validation enforced
  • Mutual TLS (mTLS) available for Enterprise customers

Voice Communications:

  • Encrypted voice streams through providers (Vapi, Retell)
  • SRTP (Secure Real-time Transport Protocol) for voice
  • Signaling encryption

3.2 Encryption at Rest

Database Encryption:

  • AES-256 encryption for all databases
  • Transparent Data Encryption (TDE)
  • Encrypted backups
  • Encrypted snapshots

File Storage Encryption:

  • AES-256 for all stored files (recordings, documents)
  • Server-side encryption
  • Encrypted backups

Encryption Key Management:

  • AWS Key Management Service (KMS) or Google Cloud KMS
  • Automatic key rotation
  • Separation of key management from data storage
  • Hardware Security Modules (HSMs) for key storage

Encryption Scope:

All data at rest is encrypted, including voice recordings, conversation transcripts, customer data, configuration data, logs and audit trails, backups and archives.

4. Access Control

4.1 Authentication

Customer Authentication:

Strong password requirements:

  • Minimum 12 characters
  • Mix of uppercase, lowercase, numbers, symbols
  • No common passwords (checked against breach databases)

Password hashing using bcrypt with salt. Account lockout after failed attempts. CAPTCHA after multiple failures.

Two-Factor Authentication (2FA):

Available to all customers (required for Enterprise). Support for:

  • Time-based One-Time Passwords (TOTP) - Google Authenticator, Authy
  • SMS codes
  • Email codes

Backup codes for account recovery.

4.2 Authorization

Role-Based Access Control (RBAC):

Customer Roles:

  • Owner: Full access, billing, account management
  • Admin: User management, configuration, all features
  • Manager: View and edit agents, conversations, analytics
  • Agent: View assigned conversations, limited editing
  • Viewer: Read-only access

Permission Scopes:

  • Agents (create, read, update, delete)
  • Conversations (read, delete, export)
  • Integrations (connect, configure, disconnect)
  • Billing (view, manage)
  • Users (invite, remove, change roles)
  • API Keys (create, revoke)

5. Application Security

5.1 Secure Development

Secure Coding Practices:

  • Code reviews for all changes
  • Static Application Security Testing (SAST)
  • Dynamic Application Security Testing (DAST)
  • Dependency scanning for vulnerable libraries
  • Security training for developers

Input Validation:

  • Validation of all user inputs
  • Parameterized queries (prevent SQL injection)
  • Output encoding (prevent XSS)
  • File upload restrictions
  • Size and rate limits

5.2 Security Testing

  • Weekly automated vulnerability scans
  • Quarterly penetration testing by third-party firms
  • Annual comprehensive security audit
  • Continuous automated security monitoring

Bug Bounty Program: Responsible disclosure program. Security researchers can report vulnerabilities. Rewards for valid security issues. Details at ayra.ai/security

6. Monitoring and Logging

6.1 Security Monitoring

24/7 Security Operations Center (SOC):

  • Real-time monitoring of security events
  • Automated threat detection
  • Incident response on-call rotation
  • Integration with threat intelligence feeds

What We Monitor:

  • Failed login attempts
  • Unusual access patterns
  • API rate limit violations
  • Data export activities
  • System configuration changes
  • Network traffic anomalies
  • Database query patterns
  • Error rates and system health

6.2 Audit Logging

What We Log:

  • Authentication events (login, logout, failed attempts)
  • Authorization decisions (access granted/denied)
  • Data access (who viewed what, when)
  • Data modifications (create, update, delete)
  • Administrative actions (user changes, configuration)
  • API calls (endpoint, user, timestamp, response)
  • System events (errors, warnings, critical events)

Log Characteristics:

  • Immutable (cannot be altered)
  • Timestamped with precise time
  • Include user identity and IP address
  • Retained for 1 year (longer for compliance)
  • Encrypted at rest and in transit
  • Backed up regularly

7. Incident Response

7.1 Incident Response Plan

1. Preparation

Incident response team designated. Roles and responsibilities documented. Contact lists maintained. Tools and access prepared. Regular training and drills.

2. Detection and Analysis

Monitoring systems detect anomaly. Alert triaged by on-call engineer. Severity assessed. Incident response team activated if needed.

3. Containment

Immediate action to stop the incident. Short-term containment (isolate affected systems). Long-term containment (temporary fixes). Evidence preservation.

4. Eradication

Root cause identification. Remove threat (malware, compromised accounts, vulnerabilities). Verify complete removal. Strengthen defenses.

5. Recovery

Restore systems to normal operation. Verify system integrity. Monitor for recurrence. Document recovery steps.

6. Post-Incident Activity

Lessons learned meeting. Incident report creation. Update procedures and controls. Implement preventative measures. Compliance notifications if required.

7.3 Data Breach Response

If Personal Data is Breached:

Immediate Actions (0-24 hours):

  • Activate incident response team
  • Contain the breach
  • Assess scope and severity
  • Preserve evidence
  • Begin investigation

Short-Term Actions (24-72 hours):

  • Complete initial assessment
  • Notify affected customers (Data Controllers)
  • Provide details: what, when, what data, impact, remediation
  • Assist customers with their notification obligations
  • Notify supervisory authority if required (GDPR)

Long-Term Actions (72 hours+):

  • Complete investigation
  • Implement remediation measures
  • Conduct post-mortem
  • Update security controls
  • Monitor for recurrence

8. Data Backup and Recovery

8.1 Backup Strategy

Automated Backups:

  • Frequency: Every 6 hours
  • Retention: Daily backups: 7 days, Weekly backups: 4 weeks, Monthly backups: 12 months
  • Scope: Complete databases, file storage, configurations

Geographic Redundancy:

  • Backups stored in multiple geographic regions
  • Cross-region replication
  • Protection against regional disasters

Backup Security:

  • Encrypted with AES-256
  • Separate encryption keys from production
  • Access restricted to authorized personnel
  • Integrity checks on all backups

8.2 Recovery Capabilities

Point-in-Time Recovery

  • Restore to any point within retention period
  • Granular recovery (specific tables, files)
  • Fast recovery (< 4 hours for full restore)

Disaster Recovery

  • Recovery Time Objective (RTO): 4 hours
  • Recovery Point Objective (RPO): 6 hours
  • Tested quarterly
  • Documented procedures

12. Your Security Responsibilities

12.1 Account Security

Protect Your Credentials:

  • Use strong, unique passwords
  • Never share passwords
  • Enable two-factor authentication
  • Use password manager
  • Log out when done, especially on shared computers

Monitor Your Account:

  • Review activity logs regularly
  • Check for unauthorized access
  • Verify user list is current
  • Review integration connections
  • Monitor API key usage

Report Incidents:

  • Report suspected compromises immediately
  • Report phishing attempts
  • Report unusual activity
  • Contact security@ayra.ai for security issues

13. Security Best Practices

13.1 For All Customers

Enable Two-Factor Authentication (2FA)

Essential security layer. Enable immediately.

Use Strong Passwords

12+ characters, unique, complex. Use password manager.

Review User Access Regularly

Remove departed employees, adjust permissions.

Monitor Activity Logs

Review regularly for suspicious activity.

Configure Appropriate Retention

Don't keep data longer than necessary.

Minimize Data Collection

Configure agents to collect only what you need.

15. Reporting Security Issues

15.1 Security Vulnerability Reports

How to Report:

Email: security@ayra.ai

What to Include:

  • Detailed description of vulnerability
  • Steps to reproduce
  • Potential impact
  • Your contact information

What to Expect:

  • Acknowledgment within 24 hours
  • Initial assessment within 72 hours
  • Regular updates on remediation
  • Credit in our security acknowledgments (if desired)
  • Bug bounty reward for qualifying vulnerabilities

Responsible Disclosure:

  • Do not publicly disclose until we've resolved
  • Do not access customer data beyond what's necessary to demonstrate
  • Do not perform denial-of-service testing
  • Act in good faith

Last Updated: January 1, 2025

Security is a shared responsibility. Ayra provides robust security infrastructure and tools, but ultimately security depends on how you configure and use the platform. Follow best practices, stay informed about security updates, and contact us with any questions or concerns.

Together, we protect your data, your customers' data, and maintain the trust that makes our partnership possible.

Ready to transform your agency?

Start building with Ayra today. No credit card required.