Running a wedding planning business means managing deeply personal information — client details, budgets, vendor contracts, guest lists, and more. We built ayyla with the understanding that this data isn’t just information; it’s your reputation and your clients’ trust.
This post breaks down how we protect your data today, and where we’re headed next.
Your Data is Yours Alone
Every ayyla account operates in a fully isolated environment. When you log in, you only ever see your own data — your clients, your suppliers, your budgets, your documents.
This isn’t just a filter on the screen. It’s enforced at the database level. Every single query that runs on our platform — reads, writes, updates, counts, and aggregations — is automatically scoped to your account. Every table in our database carries a tenant identifier, including child records like budget line items, supplier contacts, and AI conversation messages. Your data physically cannot appear in another planner’s account.
In practice, this means your supplier lists, pricing, and notes are invisible to other planners. Client contact details, preferences, and wedding plans are fully private. Financial data — budgets, expenses, commissions — is completely siloed. And team members only see what belongs to your business.
Encryption in Transit
All data moving between your browser and our servers is encrypted using TLS (Transport Layer Security), the same standard used by banks and healthcare platforms. Whether you’re updating a guest list, uploading a contract, or checking your budget, that information is encrypted the entire way.
We also encrypt sensitive credentials like third-party integration tokens (Google Calendar, Google Drive) using AES-256 encryption before storing them in our database.
Authentication & Access Control
Strong password security. Passwords are hashed using bcrypt with industry-recommended salt rounds. We never store your password in readable form — not even we can see it.
Session management. Access tokens expire on a short cycle, and refresh tokens have a strict 7-day limit. If your device is lost or compromised, sessions expire automatically. You can also sign out of all devices at once.
Account lockout. After repeated failed login attempts, accounts are temporarily locked to prevent brute-force attacks.
Role-based access. ayyla supports distinct roles — account owners, team members, and couple portals — each with different levels of access. Team members can collaborate without seeing everything, and couples get a focused view of their own wedding.
Security audit logging. We log security-relevant actions — login attempts, password changes, and role modifications — so you have visibility into account activity.
How We Handle File Uploads
When you upload a document, photo, or contract to ayyla, it goes directly to secure cloud storage on AWS (Amazon Web Services). Your files are organised by account and project, so they’re isolated just like the rest of your data.
Encryption at rest. All uploaded files are encrypted on the server side using AES-256 encryption before being stored. Your files are protected even at the storage level.
File validation. We validate every upload before it reaches storage. Files are checked against an allowlist of safe types (images, PDFs, documents, spreadsheets), dangerous file extensions are blocked, and file sizes are enforced server-side — not just in the browser.
Signed URLs. Uploads use time-limited signed URLs — meaning even the upload link itself expires after 30 minutes and can’t be reused or shared. Downloads work the same way: we verify your identity and permissions before generating a temporary access link.
API & Application Security
Behind the scenes, we enforce several layers of protection on every request:
Rate limiting. Each API endpoint has request limits to prevent abuse. Authentication endpoints have stricter limits to guard against automated attacks.
Input validation. Every piece of data submitted to our platform is validated and sanitised. Unknown or unexpected fields are automatically stripped and rejected.
Parameterised queries. We use an ORM (Prisma) that prevents SQL injection by design. User input never gets concatenated into database queries.
Content Security Policy. We enforce a strict CSP on all API responses, preventing cross-site scripting (XSS) and other injection attacks at the browser level.
Security headers. Our API enforces HSTS, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers on every response.
Webhook verification. Third-party webhooks (like payment events from Stripe) are verified using cryptographic signatures before processing.
Payment Security
ayyla uses Stripe for all payment processing. We never store your card number, CVV, or full payment details on our servers. Stripe is a PCI DSS Level 1 certified provider — the highest level of payment security certification.
All billing interactions happen through Stripe’s secure infrastructure, and payment events are verified via signed webhooks before we act on them.
Infrastructure
ayyla runs on AWS infrastructure, giving us a strong foundation for security and reliability:
Isolated networking. Our application runs within a Virtual Private Cloud (VPC) with security groups controlling access between services.
Managed database. PostgreSQL on AWS RDS with automated daily backups and 7-day retention, enabling point-in-time recovery.
Redundant caching. Redis for session management and real-time features.
Containerised deployment. Our application runs in Docker containers for consistent, reproducible environments.
Monitoring & Error Tracking
We maintain structured logging across the platform. Every request is tagged with a unique correlation ID, making it possible to trace issues quickly.
We use Sentry for real-time error tracking and performance monitoring. Errors are captured and triaged automatically so we can respond to problems proactively, often before they affect your experience. Sensitive data like passwords and tokens is automatically scrubbed before any error report is sent.
AI Features & Your Data
ayyla includes AI-powered features like smart suggestions and an assistant to help with your planning workflow. Here’s what you should know:
We use OpenAI’s API to power these features. This means relevant context from your conversation is sent to OpenAI for processing.
Your data is sanitised before it leaves our servers. We automatically strip personally identifiable information — email addresses, phone numbers, physical addresses, and financial details — from AI prompts before they’re sent to any third-party provider. Real names are replaced with placeholders so the AI can still provide useful responses without seeing sensitive details.
OpenAI’s API is configured not to store your data. We explicitly opt out of data retention on every API call, and OpenAI’s API data is subject to their enterprise data processing terms.
AI features are optional. You choose when and how to interact with the assistant.
AI conversations are stored in your account for your reference and can be reviewed at any time.
We’re transparent about this because we believe you should know exactly where your data goes.
What We’re Working On Next
Security is never “done.” Here’s what’s on our near-term roadmap:
Two-factor authentication (2FA) — Authenticator app support for an additional layer of login security
Database encryption at rest — Enabling full encryption on our database storage layer
Data export — Ability to export all your account data in a portable format
Account deletion — Full account closure with complete data removal
Antivirus file scanning — Automated malware scanning of uploaded files
We’ll update this post as these features ship.
Our Commitment
We don’t claim certifications we haven’t earned or features we haven’t built. What we do commit to:
Your data belongs to you. We don’t sell, share, or monetise your data. Ever.
Transparency. If something changes in how we handle your data, we’ll tell you.
Continuous improvement. We’re actively investing in security and privacy as the platform grows.
Responsiveness. If you have a security concern, reach out to us directly and we’ll address it promptly.
Have questions about how we handle your data, or want to report a security concern? Get in touch at support@ayyla.ai
