Last update: 25.10.2025

The following technical and organizational measures have been taken by Ayyah AG to ensure the security of the data.

The personal data processed by Ayyah AG as an organization and Ayyah as software is limited to user data (surname, first name, department, business contact information, e-mail, IP address and business-related orders of the user). The personal data in the software is pseudonymized where possible.

The software is developed by selected certified development partners. The data is stored in a highly secure Kubernetes data center in Switzerland and is only accessible to employees of Ayyah AG and the subcontractors to the extent necessary.

1. access control

We ensure access to the premises of Ayyah AG through the following measures:

• Ayyah is hosted in a secure, certified data center in Switzerland
• Ayyah employees do not have access to the data center
• Allocation of keys to the office premises is documented
• Visitors are never alone in the office premises

2. access control

To ensure that only authorized persons have access, we have taken the following measures both in the internal systems and for the Ayyah software:

• User administration for logging in with an individual user name and password (password policy)
• Logging of access
• System administration by the managing director of Ayyah
• Automatic blocking of the IP address in the event of too many failed logins, optional restriction of IP range
• Automatic logout in case of inactivity

3. access control

In order to control access, we have taken the following measures both in the internal systems and for the Ayyah software:

• Client, role and rights-based access management
• Management of users by the respective system administrators of the clients

4. separation control

We have taken the following measures to ensure that data collected for different purposes is processed separately:

• Separation of development, test and live systems
• Separation of clients in the software

5. transport/storage control

Ayyah has taken the following measures to ensure that personal data is not read, copied, modified or deleted without authorization during transmission and storage:
- Secure transmission of data via SSL encryption
- Data is only transmitted to systems outside the data center when using the REST API
- Computer data carriers of Ayyah employees are encrypted and can be deleted via remote wipe
- Disclosure only at the request of the client or after verification of the legal basis
- Cloudflare, Inc. (USA) is used as a content delivery network (CDN) and web application firewall (WAF) to secure web communication and to protect against DDoS attacks and unauthorized access. This may result in the processing of technical usage data (e.g. IP addresses). The use is based on suitable guarantees in accordance with Art. 16 FADP (standard contractual clauses with Swiss adaptation).

6. input control

We ensure the traceability of entries and changes as follows:

• All accesses are made with personal logins
• Logging of entries in the change log

7. order control

We have taken the following measures to ensure that data can only be processed in accordance with the order and the client's instructions when an order is placed:

• Selection of contractors by Ayyah Management and member of the Board of Directors/Data Protection Officer
• Subcontracting only with an equivalent level of protection and with an order data processing contract
• Review of the measures taken by the contractor

8. availability control

To ensure availability, Ayyah is operated in a high-availability data center in an encrypted container.

• Active management of the servers by the cloud provider
• Power supply, water protection, air conditioning, fire protection by the cloud provider
• Data backup and recovery
• The software is continuously monitored and measures are initiated automatically if necessary.