Security & Compliance

Securing connected products, the data they collect, and the applications that leverage them is a major focus for Ayla. Our philosophy of end-to-end IoT security puts focus on tight control of the major areas of security, data access, data privacy, and infrastructure. With a range of certifications, including ISO-27001 and SOC 2, the Ayla Platform also provides GDPR compliant treatment of personal data to ensure consumer data is kept secure.

iot-platform Ayla IoT Platform Extended Overview

Security Controls

Ayla's "full stack" security philosophy employs a wide range of leading edge security measures around user authentication, data transmission, and intrusion prevention. These security measures include:

  • Devices authenticated with unique key pair.
  • Encrypted LAN Mode communication between mobile application and device.
  • Data encryption - HTTPS encrypted with TLS, UDP channel with AES-128 encryption.
  • Layered access control to prevent breach of one device compromising the whole system.
  • Penetration tests by 3rd party vendor. 

Data Access Controls

Connected products and the data they generate will typically be accessed by a variety of different persons, including friends or family, customer support teams, product operations teams, business analysts, and more. To ensure the right people have access to the appropriate data, Ayla provides a wide range of access controls. These controls include:  

  • Role Based Access (RBAC) framework to define custom roles and access permissions for device and user data (for both the OEM organization and external parties).
  • Secure sharing of devices among family members or guests.
  • End-user opt-in to share their device data with partner services, such as energy management or replenishment services.
  • Tracking of data access for auditing and compliance purposes.

Data Privacy Controls

Maintaining the privacy of consumer data is a growing concern world-wide. Ayla supports our customers in their commitment to enable the highest level of privacy standards for their market with a strong set of privacy tools. These include:
  • Proximity controls to ensure physical possession before registering device to user account
  • Data ownership tied to registered owner of device with role-based access for OEM staff
  • GDPR-ready Dashboard UI to protect access to personally identifiable information (PII)

Infrastructure Security

Securing customer data and their virtualized devices from malicious attacks or theft is a major concern of Ayla's security team. We deploy a number of leading edge security measures across the various cloud infrastructure providers that our platform runs on (e.g., AWS, GCP). These measures include: 

  • All services deployed within a VPC, with service and databases installed in different subnets.
  • Compute instances not directly accessible from the internet and run intrusion detection systems.
  • Firewalls protect services at network level.
  • DDoS filters and web application firewall employed.

Certifications

To ensure our security practices adhere to the highest levels of quality and depth, Ayla maintains various certifications and annual audits. These certifications include:

  • SSAE16 / ISAE 3402 Type II:
    • SOC2
  • ISO-27001
    • One of the most widely recognized, internationally accepted independent security standards.