Question 1

How is user data collected and secured?

Accepted Answer

Data is collected via the Sahha SDK or API after a user grants device-level health permissions (Apple Health / Health Connect). All data is encrypted in transit using TLS 1.2+ and at rest using AES-256, and processed entirely within Sahha’s AWS infrastructure.

Question 2

How does Sahha de-identify data?

Accepted Answer

Data is stored under a pseudonymized external ID provided by the customer. No direct personal identifiers (names, emails, phone numbers) are stored. The only demographic attributes retained are gender and date of birth, which improve score accuracy.

Question 3

Is health data classified as PHI?

Accepted Answer

Sahha treats all health data with PHI-level controls even though direct identifiers are not stored. Data is pseudonymized — the only PII retained is gender and date of birth — and all infrastructure, access controls, and processes are designed to meet HIPAA requirements.

Question 4

How is user consent managed?

Accepted Answer

Consent is obtained through device-level health platform permissions (Apple Health / Health Connect), which users can revoke at any time in device settings. Under GDPR, the lawful basis for processing is typically the contract between Sahha and the customer, with the customer responsible for obtaining appropriate end-user consent within their own app.

Question 5

What is the data retention and deletion policy?

Accepted Answer

Data is retained for as long as the user profile is active. When a profile is deleted via the API, all associated data is permanently removed within 30 days. Customers can trigger deletion at any time using the profile delete endpoint.

Question 6

Who are Sahha’s sub-processors?

Accepted Answer

AWS is Sahha’s sole infrastructure provider for data hosting and processing. No other third-party sub-processors handle customer health data.

Question 7

Where is Sahha data hosted?

Accepted Answer

Data is hosted on AWS in the US (us-east-1). Regional hosting in other AWS regions can be arranged for enterprise customers on request.

Question 8

What encryption is used in transit and at rest?

Accepted Answer

All data in transit is encrypted using TLS 1.2+. Data at rest is encrypted using AES-256 via AWS-managed encryption. Keys are managed through AWS KMS with strict access policies.

Question 9

What security practices protect the infrastructure?

Accepted Answer

Sahha follows AWS security best practices including VPC network isolation, IAM least-privilege access policies, security group restrictions, and automated monitoring. All infrastructure is managed as code with change control.

Question 10

Who at Sahha can access customer data?

Accepted Answer

Access to customer data is governed by role-based access controls with least-privilege principles. All access is logged with audit trails.

Question 11

Does Sahha conduct penetration testing?

Accepted Answer

Yes. Sahha conducts annual penetration testing performed by an independent third party. Results are reviewed internally and findings are remediated on a prioritized timeline.

Question 12

What happens during a security incident?

Accepted Answer

Sahha maintains a documented incident response process. In the event of a confirmed breach affecting customer data, affected customers are notified within 72 hours in line with GDPR requirements.

Question 13

Is Sahha SOC 2 compliant?

Accepted Answer

Yes. Sahha has completed a SOC 2 Type II audit. A copy of the report is available on request or via download below.

Question 14

Is Sahha HIPAA compliant?

Accepted Answer

Yes. Sahha is HIPAA compliant and a Business Associate Agreement (BAA) is available on request for customers who require one.

Question 15

Is Sahha GDPR compliant?

Accepted Answer

Yes. Sahha is GDPR compliant and a Data Processing Agreement (DPA) is available on request for customers who require one.

Question 16

Where can I find the privacy policy and legal agreements?

Accepted Answer

Sahha publishes an End User Privacy Policy and an API Licence Agreement. Customers should also maintain their own privacy policy covering how their app uses health data collected via Sahha.

Security & Compliance FAQ

Data & privacy

Infrastructure

Compliance