Aha! security features
Aha! is ISO 27001 certified and was built to support millions of users and deliver high performance, reliability and robust data protection. It was designed with security in mind by an experienced team of software builders. The Aha! application has built-in security functionality that every customer benefits from. And operationally, we have a strict set of policies in place to ensure customer data is kept safe. These policies include but are not limited to restricting employee access to customer data.
Application security
In addition to the security provided through our data center infrastructure, there are many additional protective capabilities built directly into the application itself.
The following security features benefit all customers, regardless of plan.
Secure network access
All customer communications are over secure HTTP access (HTTPS) so that you can establish secure communication sessions with your Aha! account using TLS.
Encryption of data at rest
All account data that is not moving through the network is encrypted while "at rest" in the database. We encrypt all data using 256-bit AES encryption.
Single sign-on (SSO)
Customers can configure single sign-on for their Aha! account, allowing their existing identity provider to control access to the Aha! application.
Two-factor authentication (2FA)
Through the use of the Duo Mobile app, customers can enable push based two factor authentication where a verification request is sent to the users mobile device prior to being able to access Aha!
User permissions
Access to data within your Aha! account is on a per user / per product basis allowing account administrators to restrict access to data. There are six different levels of permissions that you can apply to users in your account.
Secure presentations
Data in Aha! can be shared through the use of Aha! presentations. The presentations can be secured through the use of a per presentation password, or by enabling advanced presentation security where only registered Aha! users can access the presentation data.
Private ideas portals
A private portal provides an Ideas forum for registered users only. The URL is publicly available, but unless a user is registered they will not be able to log in. Private portals are useful for product teams that want to provide a way for select groups, such as employees, partners or key customers to securely submit ideas.
Activity stream
All user activity in Aha! is logged in the activity stream which can then be filtered and searched against.
History of changes
Every text description in Aha! has its own history tracker which allows users to view when changes were made and who they were made by. Additionally, the history function allows users to revert back to previous versions of the text.
Feature and ideas export
Features and Ideas can be exported from Aha! as a CSV file, allowing customers to easily backup their most important data.
These additional features benefit customers in the Enterprise+ plan.
Anti-virus scanning
Aha! automatically scans all uploaded files for viruses. This helps protect against malicious files from being uploaded and shared with other users in the account. If Aha! detects a virus in a file, we reject the upload and notify the user.
IP address access control
IP address based access control gives Aha! administrators and their IT teams the ability to limit who can access their account by location. It is perfect for larger organizations looking to lock down their account to certain offices and corporate users of the VPN. It provides an extra level of security by limiting access to the Aha! account, any created presentations, and even ideas portals.
Account backup and export
To allow the most diligent IT administrators to rest easily, Enterprise+ customers have the option to export a full JSON backup file of their Aha! environment to store themselves. This backup includes all strategy, release, ideas, features, and comment data.
Single sign-on (SSO) for presentations
Customers can configure single sign-on for their Aha! presentations, allowing only users with SSO configured to access product roadmaps and product information that has been published.
Operational security
System and operational security
Aha! protects its system infrastructure by using dedicated firewall and network services to block unauthorized system access. Operating system installations are patched based on vendor recommendations and hardened by removing unnecessary processes and open ports.
Employee data access
Tight system access security is enforced and no Aha! employees are able to access customer data unless specifically required to do so for support reasons. Then only specially designated senior technical employees have the necessary access permissions. Any systems access is logged and tracked for auditing purposes.
Software security
Aha! has been carefully designed to separate customer data and to prevent even inadvertent disclosure of data from one user to another. User account permissions and roles are enforced at the server and database level to prevent malicious users from escalating their privileges. We carefully design all new features to prevent potential attacks such as SQL injection and cross-site-scripting.
Network security
Aha! encrypts all communication between customers and our data center using TLS. All login and post-login web pages in Aha! are served over HTTPS. Any unencrypted access is first redirected to HTTPS before completing. All passwords are filtered from all our logs and are stored one-way hashed in the database.
Service reliability and file system backup
We operate active-active from multiple, distributed data centers and maintain a real-time, streaming replica of all customer data on separate hardware. In addition, we maintain hourly backups in a geographically separate data center.
Aligned with best practices
Aha! provides additional information about our security controls through the Cloud Security Alliance CAIQ.