Trust & Safety

Security & Privacy

Aura AI is built local-first. Your source code, design docs, chats, and project memory stay under your control, and your content is not used for training.

Our commitments

🚫

No training on your content

Your source code, design docs, prompts, and project context are not used for model training. Aura is built for commercial projects where unreleased mechanics, lore, and production plans need to stay yours.

Security

TLS 1.3 in transit

Account, billing, update, diagnostic, and prompt traffic is encrypted in transit. Local engine communication stays on your machine.

🔑

Authentication secured

Authentication is handled via secure JWTs. User sessions are validated server-side and scoped securely to your account, ensuring data isolation.

🛡️

No data sold to third parties

We do not sell, rent, or share your usage data, code context, or personal information with advertisers or data brokers. Ever.

Local

Hub runs locally

Aura AI is a native background service that runs on your machine. Project context, GDDs, pages, rules, chats, and project memory are local-first and do not sync to a cloud workspace by default.

🗄️

Strict Data Isolation

Our backend enforces rigid server-side validation, ensuring users can only ever access their own subscription and team data. This prevents unauthorized access at the API boundary, guaranteeing your data stays isolated.

What goes where

A transparent breakdown of every data type Aura touches, where it goes, and who can access it.

Data Type Where It Goes Who Can See It
AI Prompts & Code Context Used only to answer the request you submit Aura request path for response generation only; not used for training
GDD Files Stored locally on your machine; not synced to a cloud workspace by default You; used only as request context when needed
Subscription Data Remote database (RLS-protected) You only; Aura backend for credit deduction
Email Address Auth provider; Resend for transactional email Aura for account management; not shared with third parties
Payment Information Stripe (we never see raw card data) Stripe only
Chat History Local machine only (in-memory during session) You only; not synced to any server
Issue

Responsible Disclosure

Found a security vulnerability Please report it. We review all reports within 48 hours and will work with you to resolve the issue responsibly.

security@aurainc.co

We don't run a formal bug bounty program, but we will acknowledge your contribution publicly if you'd like.

Compliance roadmap

We are building toward enterprise-grade compliance standards.

📋

SOC 2 Type II

Planned. Our architecture is designed to be audit-ready. We will pursue formal certification as the product scales.

Planned
🇪🇺

GDPR-Ready Architecture

Our data model supports GDPR requirements: data minimization, right to erasure, and no unnecessary retention. EU customers can request full data deletion at any time.

In place
🔒

End-to-End Encryption for GDDs

Additional client-side controls for GDD handling and team policy enforcement. Planned for a future release.

Planned