We're currently undergoing a major UI/UX refresh. Don't mind any bugs. Product is still fully functional.
← Back to home

Security

Last updated: May 11, 2026

AYA Twin is a personal operating system that holds work, finances, and journals. We take security seriously and aim to be transparent about how we handle data and what we do not yet do.

Encryption

  • In transit: All endpoints require TLS 1.2 or higher. Traffic to and from your browser is encrypted.
  • At rest: Per-user databases hosted on Turso are encrypted at rest by the provider.
  • BYOK API keys: If you provide your own Anthropic / OpenAI / Google API keys, we encrypt them with AES-256-GCM. The ciphertext is bound to your user ID and the provider via authenticated additional data (AAD), so a leaked database row cannot be replayed against a different user.
  • Master encryption key: Currently stored as an environment variable on our hosting provider. Migration to a dedicated key management service (KMS) is on the roadmap.

Per-user database isolation

Each AYA Twin user has a dedicated database on Turso, isolated from every other user. This is more isolation than typical SaaS architectures: even an API misuse that returned the wrong user's data cannot cross database boundaries, because the database connection itself is scoped to the authenticated user.

A small platform-level database holds authentication state and account metadata. Each user's personal data — tasks, notes, journals, finance entries, conversations with their AI twin — lives only in their own dedicated database.

Authentication

  • OAuth via Google (using Auth.js / NextAuth v5)
  • Email + password also supported, with passwords hashed via bcrypt
  • Sessions are JWT-signed; the signing secret is rotated on a controlled cadence
  • Session cookies are HTTP-only, Secure, and SameSite=Lax in production
  • Sensitive operations (account deletion, plan changes) require a recent authentication challenge

Application security controls

  • HTTP security headers: HSTS (with two-year max-age), X-Content-Type-Options nosniff, X-Frame-Options DENY, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy disallowing camera / mic / geolocation
  • SSRF protection: URL fetches (e.g., preview generation) refuse loopback, RFC 1918 private ranges, and cloud-provider metadata endpoints
  • Path traversal protection: Uploaded filenames are sanitized; uploads stay within their date-scoped directory
  • XSS: Rendered HTML is sanitized via DOMPurify with a strict allowlist (no inline scripts, no javascript: URIs, no on* handlers)
  • Sentry scrubbing: Error reports strip Authorization / Cookie / X-API-Key headers and token-bearing query params before transmission

Subprocessors

See the subprocessor table on our Privacy Policy. Briefly: Anthropic, OpenAI, Google, Stripe, Resend, Turso, Vercel, Sentry, PostHog, Tavily. Each is bound by their own DPA. We don't add new subprocessors silently — material additions are announced before they go live.

Compliance status

  • SOC 2 Type 1: planned. Not yet engaged with an auditor.
  • SOC 2 Type 2: planned, after Type 1.
  • HIPAA: not applicable. AYA Twin is a consumer product and we do not currently sign Business Associate Agreements. Do not use AYA Twin to store Protected Health Information.
  • PCI DSS: SAQ-A. We never see card numbers — Stripe Checkout handles payment data end-to-end.
  • GDPR / CCPA: we honor subject access and deletion requests. See the rights section on our Privacy Policy. Deletion is currently processed manually via support email (self-serve in-product deletion is planned).

Beta caveats

AYA Twin is in active development (Beta). We're iterating quickly and some surfaces may have known issues. Until our SOC 2 attestation completes, we recommend:

  • Don't store medical records, classified information, or other regulated data
  • Don't store secrets you can't rotate (treat AYA Twin like any other personal tool)
  • Do let us know if something feels wrong — we'd rather hear it from you than read about it later

We commit to: never selling data, processing deletion requests on a documented timeline, transparent subprocessor changes, and post-incident disclosure within 72 hours of confirmation.

Vulnerability disclosure

If you find a security issue, please email hello@ayatwin.ai with:

  • A clear description of the issue
  • Steps to reproduce
  • The affected URL or component
  • Your contact info for follow-up

We aim to acknowledge within 48 hours and provide a status update within 7 days. We don't currently have a paid bug bounty, but we offer acknowledgement and a public hall-of-fame credit (coming soon) for valid findings.

In scope: ayatwin.com, ayatwin.ai, all *.ayatwin.* subdomains, and API endpoints under those domains.

Out of scope: Third-party services (Stripe, Turso, Anthropic, etc.) — report directly to them. Social engineering and physical attacks on staff are also out of scope.

Safe harbor: If you make a good-faith effort to comply with this policy, we will not pursue legal action against you for security research conducted under it.

Contact

All security, privacy, compliance, and DPA requests: hello@ayatwin.ai.

Saxena Tech LLC
Florida, USA