Security
Built for the data you actually keep.
Aurora holds notes, conversations, and reflections you would never put in a Google Doc. We engineer accordingly.
End-to-end encrypted vault
Sensitive content is encrypted with keys derived from your password. We cannot read it. Period.
SOC 2 Type II
Audited annually. Report available under NDA — email security@aurora.app.
Regional data residency
Pick US, EU, or Asia Pacific at signup. Your data never leaves your region.
Bring-your-own keys
Enterprise tier: bring your own encryption key for full custody.
Full export, anytime
Markdown + JSON, including conversations, notes, and metadata. No lock-in.
Responsible disclosure
security@aurora.app — we triage within 24h and pay bounties for valid findings.
Sub-processors
Who else touches your data, and why.
| Provider | Purpose | Region |
|---|---|---|
| Stripe | Payments | USA |
| Resend | Transactional email | USA |
| Vercel | Hosting / edge | Global |
| Supabase | Database (region of your choice) | US / EU / APAC |
| OpenAI / Anthropic / Google / Perplexity | AI inference (zero retention) | Per request |
| Sentry | Error tracking | EU |
Reporting a vulnerability
Email security@aurora.app with a description and reproduction steps. We acknowledge within 24h. Valid findings receive a bounty starting at $500 and scaling with severity. PGP key on request.