AyaCareer Platform powered by Kwata Team

Security & Trust

Last updated: June 2, 2026

Security isn't an afterthought at Aya — it's built in. Aya is built to the SOC 2 Trust Services Criteria and our internal Kwata Security Standard, and is aligned with PIPEDA, Alberta PIPA, and the GDPR. Your data is encrypted, hosted in the EU, and never sold. A formal third-party SOC 2 attestation and ISO 27001 certification are on our roadmap. Security questions or to report an issue: security@kwatateam.com.

Frameworks we align with

We use precise language about where we stand — what we are built to and aligned with, and what is on our roadmap versus held today. SOC 2 is an independent attestation and ISO 27001 a certification; we will say we hold them only once we do.

  • SOC 2 Trust Services Criteria — built to (aligned)
  • PIPEDA (Canadian federal privacy law) — aligned
  • Alberta PIPA (provincial privacy law) — aligned
  • GDPR (for users in the EEA) — aligned
  • CASL — consent and unsubscribe in every email
  • OWASP Top 10 — secure-coding practices
  • SOC 2 Type II attestation — on our roadmap
  • ISO/IEC 27001 — on our roadmap

How we protect your data

  • Encryption everywhere. Encryption at rest and TLS 1.2+/1.3 for all data in transit.
  • Least-privilege access. Role-based access controls, secure authentication (Better Auth, optional Google OAuth), and signed sessions.
  • Network isolation. Segmented internal services with no direct database exposure.
  • Monitoring & backups. Continuous monitoring, automated backups, and an incident-response and breach-notification process.
  • Secure by design. Input validation, protections against common web vulnerabilities (OWASP Top 10), security headers (HSTS and more), and a build pipeline that blocks unverified releases.

Where your data lives, and how AI is handled

Your application data is processed and stored on infrastructure located in the European Union, governed by the GDPR. Our hosting provider is a non-US company operating servers on EU soil, so your data is not subject to the US CLOUD Act, FISA, or the USA PATRIOT Act. Static assets are cached at the edge by an EU-jurisdictional CDN; your resume, applications, and account data are never cached at the edge — they are delivered fresh from origin.

Aya uses AI providers (such as Anthropic) to power resume analysis, document generation, and the career assistant. Only the content needed to fulfil a request you initiate is sent, under each provider's data-processing terms; we do not use your data to train AI models, and we never sell your data. Full details — including our subprocessors and retention periods — are in our Privacy Policy.

What we don't do

  • We do not sell your personal information — ever.
  • We do not use your data to train AI models.
  • We do not share data with advertising networks or data brokers (our analytics are self-hosted in the EU).

On our roadmap

  • A formal SOC 2 Type II attestation through an accredited auditor.
  • ISO/IEC 27001 certification.
  • Continuous, automated monitoring of our public security posture across every Kwata product.

Report a vulnerability

If you believe you've found a security issue, email security@kwatateam.com. We investigate every report, will acknowledge yours promptly, and ask for a reasonable window to remediate before any public disclosure.

Aya is operated by Kwata Team Inc., incorporated under the Canada Business Corporations Act.

Security & Trust — Aya Career