Privacy & security
The anonymity is the product.
Employees are only honest with us because they know you can never see them as individuals. Everything below exists to protect that — and to make the signal you do get genuinely trustworthy.
The employer sees nothing about an individual
All reporting is aggregated and anonymised, with a minimum cohort of ten enforced in the product. No team smaller than ten is ever reportable. You see trends and risk by team — never a named person's sessions, answers or score.
Consent is granular and revocable
Employees choose what they share, and can withdraw it at any time. What someone shares with Aha stays with Aha — we are not working for the company against its people.
Clinical confidentiality is absolute
Therapy sessions and their content are never shared with the employer in any form, identified or otherwise. Clinicians follow the same confidentiality and duty-of-care standards as any registered practice.
Your data lives in India
Hosted in AWS Mumbai, encrypted in transit (TLS 1.3) and at rest (AES-256), and handled under the Digital Personal Data Protection Act, 2023.
Certifications & controls
Enterprise-grade, quietly.
The standards your security team will ask about — already in place.
ISO 27001 & SOC 2 Type II
Independently audited information security.
DPDP Act 2023
Built for India's data-protection law — granular, revocable consent.
Data residency in India
Encrypted at rest and in transit, hosted in AWS Mumbai.
Cohort-of-10 anonymity
No individual is ever visible to an employer. Ever.
Send us your security questionnaire.
We'll turn it around fast — and walk your team through our controls on a call.