AyaCareer Platform powered by Kwata Team

Security & Trust

Last updated: June 2, 2026

Security isn't an afterthought at Aya — it's built in. Aya is built to the SOC 2 Trust Services Criteria and our internal Kwata Security Standard, and is aligned with PIPEDA and Alberta PIPA. Your data is encrypted, stored outside US jurisdiction, and never sold. A formal third-party SOC 2 attestation and ISO 27001 certification are on our roadmap. Security questions or to report an issue: security@kwatateam.com.

Frameworks we align with

We use precise language about where we stand — what we are built to and aligned with, and what is on our roadmap versus held today. SOC 2 is an independent attestation and ISO 27001 a certification; we will say we hold them only once we do.

  • SOC 2 Trust Services Criteria — built to (aligned)
  • PIPEDA (Canadian federal privacy law) — aligned
  • Alberta PIPA (provincial privacy law) — aligned
  • CASL — consent and unsubscribe in every email
  • OWASP Top 10 — secure-coding practices
  • SOC 2 Type II attestation — on our roadmap
  • ISO/IEC 27001 — on our roadmap

How we protect your data

  • Encryption everywhere. Encryption at rest and TLS 1.2+/1.3 for all data in transit.
  • Least-privilege access. Role-based access controls, secure authentication (Better Auth, optional Google OAuth), and signed sessions.
  • Network isolation. Segmented internal services with no direct database exposure.
  • Monitoring & backups. Continuous monitoring, automated backups, and an incident-response and breach-notification process.
  • Secure by design. Input validation, protections against common web vulnerabilities (OWASP Top 10), security headers (HSTS and more), and a build pipeline that blocks unverified releases.

Where your data lives, and how AI is handled

Your application data is processed and stored on infrastructure we operate outside US jurisdiction. Our hosting provider is a non-US company, so your data is not subject to the US CLOUD Act, FISA, or the USA PATRIOT Act. Static assets are cached at the edge by a global edge CDN; your resume, applications, and account data are never cached at the edge — they are delivered fresh from origin.

Aya uses AI providers (such as Anthropic) to power resume analysis, document generation, and the career assistant. Only the content needed to fulfil a request you initiate is sent, under each provider's data-processing terms; we do not use your data to train AI models, and we never sell your data. Full details — including our subprocessors and retention periods — are in our Privacy Policy.

What we don't do

  • We do not sell your personal information — ever.
  • We do not use your data to train AI models.
  • We do not share data with advertising networks or data brokers (our analytics are self-hosted).

On our roadmap

  • A formal SOC 2 Type II attestation through an accredited auditor.
  • ISO/IEC 27001 certification.
  • Continuous, automated monitoring of our public security posture across every Kwata product.

Report a vulnerability

If you believe you've found a security issue, email security@kwatateam.com. We investigate every report, will acknowledge yours promptly, and ask for a reasonable window to remediate before any public disclosure.

Aya is operated by Kwata Team.

Security & Trust — Aya Career