Ruhavyn Security FAQ
Frequently Asked Questions for Enterprise Clients
Data Protection & Privacy
Where is my company's data stored?
Your data is stored in enterprise-grade secure infrastructure with data centers in the United States. EU hosting is available upon request for GDPR compliance. All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.3.
Is my company's data isolated from other clients?
Yes, completely. We implement Row-Level Security (RLS) on all 37 database tables, ensuring your data is cryptographically isolated. Your administrators can only access data associated with your company ID—they cannot see, query, or access any other organization's data.
Who can access my company's data?
Only your designated administrators and authorized employees can access your company's data. Access is controlled through:
Enterprise SSO (SAML 2.0, OAuth 2.0/OIDC)
Role-Based Access Control (Admin, Member, Service)
Company-scoped isolation at the database level
Ruhavyn support staff cannot access your data without explicit permission.
What personal data do you collect?
We collect minimal data necessary for the wellness platform:
Email address (for authentication)
Display name (optional)
Mood check-ins and journal entries (user-controlled)
Usage analytics (anonymized for reporting)
We do not collect: Social Security numbers, financial information, health insurance details, or medical records.
Do you share data with third parties?
No. Your data is never sold, shared, or disclosed to third parties for marketing, advertising, or any secondary purposes. We work only with carefully vetted infrastructure and service providers who:
Maintain SOC 2 Type II certification
Comply with ISO 27001 standards
Support GDPR and CCPA compliance
Provide HIPAA-ready infrastructure where applicable
Sign Data Processing Agreements with strict confidentiality terms
All service providers are contractually prohibited from using your data for any purpose other than providing services to Ruhavyn.
For a complete list of sub-processors and detailed vendor security information, enterprise clients may contact: info@healingsunhaven.com
How long do you retain data?
Data Type | Retention Period |
|---|---|
User activity data | Duration of contract + 30 days |
Audit logs | 90 days (configurable) |
Backups | 7 days (Point-in-Time Recovery) |
Deleted account data | Purged within 30 days |
Authentication & Access Control
Do you support Single Sign-On (SSO)?
Yes. We support enterprise SSO via:
SAML 2.0 providers
OAuth 2.0/OIDC
Azure Active Directory
Okta
Google Workspace
Other major identity providers
SSO users are automatically provisioned with premium access when their email domain matches your company's registered domain.
Do you support Multi-Factor Authentication (MFA)?
Yes. MFA is supported and can be enforced for all users. SSO providers can also enforce their own MFA policies, which are respected by our platform.
How do you handle password security?
Passwords are never stored in plaintext. All authentication is handled through enterprise-grade authentication infrastructure, which implements:
bcrypt hashing with automatic salting
Secure session management via JWT
Password strength requirements
Brute-force protection with rate limiting
Can we enforce password policies?
Yes, through your SSO provider or authentication settings:
Minimum length requirements
Complexity rules
Password expiration
Previous password restrictions
What are the session management details?
JWT token expiration: Configurable (default: 1 hour access token, 7-day refresh token)
Concurrent sessions: Supported across multiple devices
Session invalidation: Immediate upon user deactivation or password change
Idle timeout: Configurable via SSO provider policies
How do you handle user offboarding?
When an employee leaves:
Admin disables the user in our dashboard
User immediately loses premium access
All active sessions are invalidated
Data remains for audit purposes (configurable retention)
Full deletion available upon request
Infrastructure & Encryption
What encryption do you use?
Layer | Encryption Standard |
|---|---|
Data at rest | AES-256 |
Data in transit | TLS 1.3 |
API keys | SHA-256 hashed |
Backups | AES-256 encrypted |
Is data encrypted in backups?
Yes. All backups are encrypted using AES-256 and stored in geographically separated locations. Point-in-Time Recovery (PITR) is enabled with 7-day retention for database restoration.
What is your uptime guarantee?
We offer a 99.9% uptime SLA for enterprise clients. Current performance exceeds this at 99.95%. Planned maintenance windows are communicated 72 hours in advance.
What happens if there's an outage?
Our disaster recovery plan includes:
Recovery Time Objective (RTO): 4 hours
Recovery Point Objective (RPO): 1 hour
Automatic failover to backup systems
24/7 monitoring with automated alerts
What DDoS protection do you have?
DDoS protection is provided at multiple layers:
Network layer: Enterprise-grade DDoS mitigation at the infrastructure level
Application layer: Rate limiting on all API endpoints (tier-based)
Authentication layer: Brute-force protection with progressive delays
Database layer: Connection pooling and query limits prevent resource exhaustion
Compliance & Certifications
Are you SOC 2 compliant?
We are SOC 2 Type I ready with all Trust Service Criteria controls implemented:
CC6: Logical & Physical Access Controls
CC7: System Operations
CC8: Change Management
A1: Availability
C1: Confidentiality
P3: Privacy
Formal Type I audit scheduled for Q2 2026. Type II targeted for Q4 2026.
Are you GDPR compliant?
Yes. We implement GDPR requirements including:
Right to access (data export)
Right to erasure (account deletion)
Data portability (JSON export)
Privacy by design
Data minimization
EU hosting available
Are you CCPA compliant?
Yes. California residents have:
Right to know what data is collected
Right to deletion
Right to opt-out of data sales (we don't sell data)
Non-discrimination for exercising rights
Do you support HIPAA?
Business Associate Agreement (BAA) available through certified infrastructure. Our platform does not store Protected Health Information (PHI), but we can accommodate HIPAA requirements upon request.
Can you complete our security questionnaire?
Yes. We regularly complete:
SIG (Standard Information Gathering)
CAIQ (Consensus Assessment Initiative Questionnaire)
Custom security questionnaires
Contact info@healingsunhaven.com with your questionnaire.
Audit & Monitoring
What do you log?
All security-relevant events are logged:
User authentication (login/logout)
Admin actions (user management, settings changes)
API access (endpoint, method, response code)
Data access patterns (anonymized)
Failed authentication attempts
Can we export audit logs?
Yes. Audit logs are exportable in CSV and JSON formats via:
Admin dashboard (self-service)
API access (Advanced Care/Complete Care tiers)
Scheduled reports (monthly/quarterly)
How long are logs retained?
Audit logs are retained for 90 days by default. Extended retention is available for enterprise clients upon request.
Do you have intrusion detection?
Yes. Our monitoring includes:
Real-time anomaly detection
API error rate monitoring
Failed authentication alerts
Rate limiting enforcement
Automated notifications for security events
API & Integration Security
How are API keys secured?
API keys are:
Hashed with SHA-256 (plaintext never stored)
Prefixed for easy identification (
ruhavyn_live_)Scoped to specific permissions
Revocable at any time
Logged for all usage
Is there rate limiting?
Yes. Rate limits are tier-based:
Tier | API Calls/Month | Webhooks |
|---|---|---|
Essential Care | — | — |
Advanced Care | 1,000 | 5 |
Complete Care | 10,000 | Unlimited |
How do webhooks work?
Webhooks are secured with:
HMAC signatures for payload verification
Automatic retry with exponential backoff
Delivery tracking and failure alerts
Configurable event types
Incident Response
What is your incident response process?
Detection (0–15 min): Automated monitoring alerts
Triage (15–60 min): Severity assessment
Containment (1–4 hours): Isolate affected systems
Resolution (4–24 hours): Fix and restore
Notification (within 72 hours): Client communication
Post-mortem (within 7 days): Root cause analysis
How will you notify us of a breach?
Critical security incidents are communicated:
Within 24 hours for critical incidents
Within 72 hours for GDPR compliance
Via email to designated security contacts
Followed by detailed incident report
Have you ever had a data breach?
No. Ruhavyn has not experienced any data breaches. Our security architecture is designed to prevent unauthorized access at every layer.
Vendor Management
What third-party services do you use?
We work with carefully selected service providers who meet our rigorous security and compliance standards. All infrastructure and service providers must:
✓ Maintain SOC 2 Type II certification
✓ Comply with ISO 27001 standards
✓ Support GDPR and CCPA compliance
✓ Provide HIPAA-ready infrastructure where applicable
✓ Sign Data Processing Agreements with strict confidentiality terms
Categories of Third-Party Services:
Service Category | Purpose | Security Standards |
|---|---|---|
Database & Authentication | Secure data storage, user authentication | SOC 2 Type II, ISO 27001, HIPAA-ready |
Payment Processing | Subscription billing, payment security | PCI DSS Level 1, SOC 2 Type II |
AI Infrastructure | Therapeutic AI features, natural language processing | SOC 2 Type II, enterprise-grade privacy |
Enterprise SSO | Single Sign-On for corporate clients | SOC 2 Type II, ISO 27001 |
Do subprocessors have access to our data?
Only infrastructure providers have encrypted access to data for the purpose of providing services. AI services receive only non-sensitive information (preferred names, anonymized queries). No subprocessor uses your data for training, advertising, or other purposes.
For a complete list of sub-processors with detailed vendor information, compliance certifications, and data processing agreements, enterprise clients may contact: info@healingsunhaven.com
Enterprise Security Documentation
For additional detailed documentation, including:
Complete sub-processor list with vendor details and compliance certifications
SOC 2 Readiness Report with full technical architecture
Data Processing Addendum (DPA) for GDPR compliance
Vendor Security Questionnaire responses (SIG, CAIQ)
Detailed security architecture diagrams and RLS implementation
Compliance certification status and audit timelines
Penetration testing reports and security assessments
Interested enterprise clients may contact: info@healingsunhaven.com
Contact
General Inquiries: info@healingsunhaven.com
Support Team: support@healingsunhaven.com
Response Time: Within 24 hours
Related Documents
For additional information, please see our complete Trust Center documentation:
Document | Description |
|---|---|
SOC 2 Readiness Report | Comprehensive compliance documentation |
Security Summary | One-page executive overview |
Privacy & Security Policy | Detailed data protection policy |
Vendor Security Questionnaire | Pre-filled SIG responses |
Data Processing Addendum | GDPR-compliant DPA |
Accessibility Statement | WCAG 2.1 AA compliance |
User FAQ | End-user help documentation |
Admin FAQ | Administrator help documentation |
Document Version: 1.2 | Last Updated: February 8, 2026
© 2026 Healing Sun Haven LLC. All rights reserved.
