DARA
SECURITY PDFLOGIN
// SECURITY · TRUST CENTER

Your data is yours.
Encrypted, scoped, never trained on.

DARA was built for SMBs, hospitality operators, and enterprise teams who care more about their data than their dashboard. Here's exactly what we do — in plain English — so you can show this page to your IT person, accountant, or board in 60 seconds.

DOWNLOAD ONE-PAGER SECURITY@DARAOS.AI
// 45 SECONDS · HOW DARA HANDLES YOUR DATA

What we actually do with it — visualised.

For anyone who wants the architecture in pictures rather than paragraphs. Read-only connectors, AES-256 at rest, TLS 1.3 in transit, tenant-isolated workspaces, zero training on your data. Same content as the security PDF — designed for the IT person or board member who has 45 seconds.

// READ-ONLY · ENCRYPTED · ZERO TRAINING
DARA:// FOUNDER · MESSAGE
DARA SECURITY ARCHITECTURE · 45 SECONDS · NO NARRATION · SUBTITLES ON-SCREEN
// VENDOR DUE-DILIGENCE

Doing IT review for your team? Get the answers in 15 minutes.

SOC 2 path DPA on request Data-residency Q&A Live, recorded if asked
// ENCRYPTION

AES-256 at rest, TLS 1.3 in transit

  • All OAuth tokens (Square, Xero, MYOB) encrypted at rest with AES-256 Fernet
  • Platform API keys encrypted in a dedicated MongoDB vault — never logged
  • Encryption keys derived from JWT_SECRET, rotated per environment
  • TLS 1.3 with HSTS enforced on every public endpoint
// ACCESS CONTROL

Per-workspace isolation, optional 2FA

  • Every database query is scoped by workspace_id — your data never crosses tenant lines
  • Passwords hashed with bcrypt (12 rounds, salted), never stored in plaintext
  • Optional TOTP 2FA (Google Authenticator, 1Password, Authy)
  • JWT bearer tokens with short TTL + re-issue on sensitive actions
// CONNECTOR SCOPES

Read-only. We never write to your books.

  • Xero: invoices.read · contacts.read · settings.read
  • Square: payments.read · orders.read · merchant.read · items.read
  • MYOB: sme-general-account · sme-general-contact · sme-general-sale
  • Zero write scopes anywhere — DARA can never modify your accounting or POS data
// AI & DATA USE

Your data is NEVER used to train AI

  • Customer data is never used to fine-tune Anthropic, OpenAI, or any LLM
  • DARA Briefings use RAG-style prompts only — your prompts go in, no learning comes out
  • No third-party tracking pixels (Google Analytics, Meta Pixel, X tag)
  • Anonymous network-org lookup via ip-api.com — only your IP is sent, only org name returned (no PII, no cookie). Country comes from a local GeoLite2 DB.
// YOUR RIGHTS

Export & delete with one click

  • Export ALL your workspace data as JSON — Settings → Privacy → Export
  • Permanently delete your workspace with typed confirmation — irreversible by design
  • Disconnect any OAuth grant instantly — Sources page → Disconnect
  • Full audit log of sensitive actions, visible to super-admins
// INFRASTRUCTURE

Production-grade hosting + named subprocessors

  • Hosted on Emergent (Kubernetes), TLS terminated at the edge
  • MongoDB multi-tenant by workspace_id, point-in-time backups
  • Subprocessors disclosed: Anthropic (AI), Resend (email), Emergent (compute)
  • SOC 2 Type II roadmap underway — happy to share status under NDA
// CONNECTOR PERMISSIONS · WHAT WE READ, WHAT WE WRITE

Every integration is read-only.

ServiceWhat DARA readsWrite accessStored encrypted
Square POSPayments · Orders · Merchant profile · Items✗ NONE AES-256
XeroInvoices · Contacts · Chart of accounts✗ NONE AES-256
MYOB AccountRightInvoices · Customers · Accounts✗ NONE AES-256
Webhook signaturesHMAC-verified before persistence✗ NONE AES-256

Questions your IT team or board need answered?

We'll respond within 1 business day. Custom DPAs, security questionnaires, and pen-test summaries available on request once you've signed up for a trial.

DOWNLOAD ONE-PAGER EMAIL SECURITY TEAM
BACK TO HOMEPAGE