Privacy & security
The anonymity is the product.
Employees are only honest with us because they know you can never see them as individuals. Everything below exists to protect that — and to make the signal you do get genuinely trustworthy.
The employer sees nothing about an individual
All reporting is aggregated and anonymised, with a minimum cohort of ten enforced in the product. No team smaller than ten is ever reportable. You see trends and risk by team — never a named person's sessions, answers or score.
Consent is granular and revocable
Employees choose what they share, and can withdraw it at any time. What someone shares with Aha stays with Aha — we are not working for the company against its people.
Clinical confidentiality is absolute
Therapy sessions and their content are never shared with the employer in any form, identified or otherwise. Clinicians follow the same confidentiality and duty-of-care standards as any registered practice.
Your data lives in India
Hosted in AWS Mumbai, end-to-end encrypted (TLS 1.3 in transit, AES-256 at rest), and handled under the Digital Personal Data Protection Act, 2023.
Certifications & controls
Enterprise-grade, quietly.
The standards your security team will ask about, already in place. Full certificates and our SOC 2 Type II report are available on request, under NDA. We share them when you ask, not before.
ISO 27001 & SOC 2 Type II
Independently audited information security. Full reports available on request, under NDA.
DPDP Act 2023
Built for India's data-protection law — granular, revocable consent.
End-to-end encrypted, in India
End-to-end encrypted (TLS 1.3 in transit, AES-256 at rest), hosted in AWS Mumbai.
Cohort-of-10 anonymity
No individual is ever visible to an employer. Ever.
Send us your security questionnaire.
We'll turn it around fast — and walk your team through our controls on a call.