Trust & Safety
Aura AI is built on a local-first philosophy. Your code and design documents are your IP — we take their protection seriously.
Prompts and code context sent to our AI providers are used solely to generate your response. Our enterprise API agreements strictly prohibit providers from using your workspace data for model training. Your IP stays yours.
All external communication between your machine and our secure LLM providers is strictly encrypted with TLS 1.3. Local engine communication never leaves your machine.
Authentication is handled via secure JWTs. User sessions are validated server-side and scoped securely to your account, ensuring data isolation.
We do not sell, rent, or share your usage data, code context, or personal information with advertisers or data brokers. Ever.
Aura AI is a native background service that runs on your machine. No unauthorized background telemetry. Aura AI only contacts our API when you actively submit a prompt, unless you explicitly opt-in to the Living GDD auto-sync feature.
Our backend enforces rigid server-side validation, ensuring users can only ever access their own subscription and team data. This prevents unauthorized access at the API boundary, guaranteeing your data stays isolated.
A transparent breakdown of every data type Aura touches, where it goes, and who can access it.
| Data Type | Where It Goes | Who Can See It |
|---|---|---|
| AI Prompts & Code Context | Aura API → Enterprise LLM Providers (per request only) | Providers for response generation only; not retained |
| GDD Files | Stored locally on your machine; sent as context only when you ask a question | You only; AI provider during active requests |
| Subscription Data | Remote database (RLS-protected) | You only; Aura backend for credit deduction |
| Email Address | Auth provider; Resend for transactional email | Aura for account management; not shared with third parties |
| Payment Information | Stripe (we never see raw card data) | Stripe only |
| Chat History | Local machine only (in-memory during session) | You only; not synced to any server |
Found a security vulnerability? Please report it. We review all reports within 48 hours and will work with you to resolve the issue responsibly.
security@aurainc.coWe don't run a formal bug bounty program, but we will acknowledge your contribution publicly if you'd like.
We are building toward enterprise-grade compliance standards.
Planned. Our architecture is designed to be audit-ready. We will pursue formal certification as the product scales.
Our data model supports GDPR requirements: data minimization, right to erasure, and no unnecessary retention. EU customers can request full data deletion at any time.
Client-side encryption for GDD files before they are included in any prompt context. Planned for a future release.