alivenow logo
Data Security & Privacy Compliance
1. Infrastructure Overview

We host and manage all backend services and databases on Amazon Web Services (AWS), a globally trusted cloud provider. The following AWS services are used:

  • EC2: Application servers
  • RDS: Databases
  • S3: File storage
  • CloudFront: Content delivery
  • VPC: Isolated network environment
  • IAM: Identity & access management
2. Data Collection

2.1 Types of Data Collected

Personally Identifiable Information (PII)

  • Full Name
  • Email Address
  • Device Information
  • User behaviour (clicks, progress)

Non-PII Data

  • Browser type and version
  • IP Address
  • Operating system
  • Anonymous usage analytics
  • Application interaction data

2.2 Purpose of Data Collection

  • To deliver personalized experiences
  • To track engagement and performance
  • For analytics and optimization
  • For prize distribution or reward validation (if applicable)
  • For user support or queries
3. Data Protection Measures

3.1 Access Control

  • Role-based access using AWS IAM
  • Multi-Factor Authentication (MFA) enforced
  • Least privilege access enforced for all environments (dev/staging/production)

3.2 Encryption

  • Data in Transit: Encrypted using TLS 1.2+ for all traffic
  • Data at Rest:
    • AWS services such as RDS and S3 use AES-256 encryption
    • KMS (Key Management Service) is used to manage encryption keys
    • Application-level encryption is applied to sensitive PII data such as email or user IDs

3.3 Secure Data Handling

  • Data is only collected when consent is given (opt-in forms or application UI)
  • No unnecessary retention: Data is deleted after its purpose is fulfilled, or based on client-defined retention policies
  • All APIs are protected via authentication tokens and rate limiting
  • CSRF, XSS, and SQL injection protections are implemented at the application layer
4. GDPR and Local Data Compliance

4.1 GDPR Compliance

  • Users are informed about data collection via a privacy policy and consent banner
  • Opt-in is used before collecting any PII
  • Users have the right to request:
    • Data deletion
    • Data export (portability)
    • Access to collected data
  • Data processors and subprocessors (e.g., AWS) are GDPR-compliant

4.2 UAE Data Protection

  • No data is transferred to countries without adequate protection without safeguards
  • Hosting can be configured to use AWS Middle East (UAE) region for local compliance
5. Data Backup and Disaster Recovery
  • Automated daily backups for all databases (e.g., AWS RDS snapshots)
  • S3 objects stored with versioning and cross-region replication if required
  • Backups are encrypted and stored securely
  • Recovery is tested periodically to ensure disaster readiness
6. Server and Infrastructure Security

6.1 Hosting on AWS

  • All servers hosted on Amazon Web Services (AWS) with high availability and auto-scaling

6.2 Network Security

  • Virtual Private Cloud (VPC) with private subnets for internal services
  • Security Groups and Network ACLs to restrict traffic
  • All inbound ports are restricted except essential services (HTTPS, etc.)
  • Web Application Firewall (WAF) used to block malicious requests
  • Cloudflare is optionally used in front of AWS to protect from DDoS and mask IPs

6.3 Patch Management

  • Operating systems and dependencies are regularly patched
  • Unused services and packages are removed to reduce the attack surface
7. Monitoring and Logging
  • Centralized logging with AWS CloudWatch and CloudTrail
  • Real-time threat detection using AWS GuardDuty and Inspector
  • All access and error logs are stored securely and monitored
8. Incident Response Plan
  • Defined process in place to handle data breaches or security incidents
  • Immediate client notification within 72 hours (as per GDPR)
  • Breach impact assessments and preventive measures are logged and reported
9. Cloudflare Integration
  • DNS Security: DNS managed via Cloudflare, protecting from DNS-based attacks
  • WAF: Web Application Firewall blocks threats in real-time
  • DDoS Protection: Always-on mitigation via Cloudflare’s global edge network
  • Rate Limiting & Bot Protection: To prevent abuse of public-facing endpoints
10. Conclusion

Our infrastructure and practices are designed to protect user data, ensure application availability, and comply with regional and international privacy laws like GDPR. We continuously audit and update our systems for ongoing compliance and security.

If you have any further questions about AliveNow's privacy policy, please email us at [email protected] and we will get back to you.