Health and wellness spending account wisdom

What About My Plan’s Security and Protection?

At Aya, our approach to product development and solutioning is based on the fundamental principle of secure by design. We strive to provide a robust, scalable and secure platform that meets the requirements for data protection and privacy. The Aya team cares about the security of the Aya Prepaid Mastercard® platform and about the security of our Clients’ personal information (PII), personal health information (PHI) and payment processing data. We understand how critical establishing and maintaining consumer trust is and how trust is rooted first and foremost in protecting the data we collect. We strive to operate a highly secure platform in AWS while addressing all relevant legal, industry, and regulatory concerns in Canada.

Information Security and Privacy Policies
As part of our secure by design philosophy, we maintain internal information security documentation that comprises of minimum security baseline (MSB), and a cyber security incident response plan (IRP). The MSB is intended to be a one stop shop that identifies the controls that need to be implemented, the compliance requirements that need to be met, and the standards that needs to be adopted. We also maintain a privacy policy, terms of

service, eSign agreement and card member agreement that are publicly accessible from

Data Collection & Residency
We do not collect any data unless we are authorized to do so by you. All data, whether at rest or in transit, is encrypted with state-of-the-art encryption policies. We understand the importance of data residency and we continuously strive to maintain Canadian data residency of personal health information of our Canadian clients.

We do not host our own infrastructure. novaHSA is hosted on Amazon Web Services (AWS). Our AWS tech stack comprises of a combination of serverless, containers and managed databases. AWS is a top industry leading cloud service provider running data centres across different regions with multiple availability zones within a region. The AWS data centers have strict controls that undergo third-party independent audits and are certified for compliance controls in its infrastructure.

This includes, but is not limited to, ISO 27001/27001, SOC 2, and PCI. Some of the safeguards that AWS implements include:

  1. Physical security measures including security guards, fencing, security feeds, intrusion detection technology, among other measures
  2. AWS has back-up power equipment, HVAC systems and fire suppression equipment to help protect servers
  3. AWS deploys threat detection devices, video surveillance and secure system protocols

Additionally, the physical address of the AWS data centres is not public knowledge.

Ongoing Security Testing & Certification
As part of our continual security review, we have the ability to monitor our applications and infrastructure and strive to conduct periodic penetration testing and vulnerability scanning to ensure that we are keeping your data safe and secure.

Application Security
Secure Application Development
We have implemented code quality and security scanning capabilities enabling our developers to write cleaner and safer code with the purpose of increasing the reliability, security and maintainability of the codebase.
As part of our software development lifecycle (SDLC), all code changes are committed, tested, and only after successful testing they are released to production. At least one authorized reviewer, reviews and approves all code changes. Deployments to our production environment are gated under condition that all code is reviewed.

Logical Access Control
Aya has full control over all of its infrastructure on AWS, and only authorized DevOps Team members at Aya have access to configure infrastructure when needed in order to add new functionality or respond to incidents. All access required for control of infrastructure has mandated multi-factor (MFA) authentication. The levels of authorization for infrastructure components is mandated by the principle of least privilege and segregation of roles and responsibilities.

Business Continuity and Disaster Recovery
High Availability: We make all attempts to avoid single point of failures in our system. Every component of the Aya Prepaid Mastercard® service uses properly provisioned, highly available and redundant services thus minimizing the impact to the system in the event of a failure. Our target is to implement zero downtime deploys, and implement a gradual rollout and rollback of services in the case of deployment errors.

Business Continuity: Aya keeps continuous backups of our production databases using the AWS RDS Backup Service with backups taken every 24 hours and snapshots taken every 5 minutes allowing us to restore easily to any time in the last 24 hours in the case of data corruption or loss with a recovery point objective of 5 minutes.

Disaster Recovery: In the event of a complete region-wide outage, the Aya’s DevOps Team can bring up a duplicate environment if needed. To support this need, Aya stores all infrastructure as code and as such is able to bring up complete copies of production and staging environments quickly.

Share on facebook
Share on twitter
Share on linkedin

Subscribe to our Newsletter

No spam, ever.

The Aya
Prepaid Mastercard®
changes everything.

Book a live demo

Quick call to walkthrough the experience with an Aya success specialist.

Welcome to Aya's Media Center
Flip through our latest press release