Security
How Aira protects your data — encryption, access controls, infrastructure, and compliance.
Overview
Aira is designed for regulated industries. Security is not a feature — it's the foundation.
Encryption
| Layer | Standard | Details |
|---|---|---|
| In transit | TLS 1.3 | All API traffic encrypted. HSTS preload enabled. HTTP auto-redirects to HTTPS. |
| At rest | AES-256-GCM | Provider API keys encrypted before storage. Database on encrypted volumes. |
| Receipt signing | Ed25519 | Every action receipt signed with Ed25519. Independently verifiable via JWKS. |
| Timestamps | RFC 3161 | Trusted timestamps from independent Time Stamp Authority. Court-admissible. |
Authentication
| Method | Details |
|---|---|
| API keys | HMAC-SHA256 derived. Constant-time comparison. Prefix-only stored after creation. |
| JWT sessions | HS256 signed. Configurable expiry. Used for dashboard access. |
| OAuth | Google, GitHub, GitLab. Optional — disabled by default in self-hosted. |
| SAML / OIDC SSO | Enterprise SSO with any IdP. Optional enforcement (SSO-only login). |
Access Controls
- Role-based: Owner, Admin, Member, Viewer — each with scoped permissions
- API key scoping: Keys tied to organization, revocable instantly
- Rate limiting: Redis-backed sliding window. Per-IP and per-org limits.
- Admin endpoints: Return 404 (not 403) to prevent enumeration
Infrastructure
| Component | Details |
|---|---|
| Hosting | Hetzner, Germany (EU). Data never leaves the EU for cloud deployments. |
| Database | PostgreSQL 17, encrypted volumes, automated backups with 14-day retention |
| Reverse proxy | Traefik v3.6 with auto-TLS, security headers (HSTS, X-Frame-Options, CSP) |
| Deployments | Zero-downtime via docker-rollout. Traefik health-aware routing. |
| Monitoring | Prometheus metrics, 5-minute uptime checks, structured JSON logging |
Self-Hosted
When deployed on your infrastructure:
- No data leaves your network — all processing is local
- You control the keys — Ed25519 signing keys generated and stored on your server
- BYOK for AI providers — your API keys, direct to provider, no Aira proxy
- License validation is offline — Ed25519 signature check, no phone-home
- Full DPA coverage — see our Data Processing Agreement for self-hosted specifics
Data Handling
- Hash-only mode: Aira stores
sha256hashes of action details by default, not the raw content. You control whether details are stored viastore_details: true. - Deletion: Organization deletion permanently removes all data (users, actions, receipts, keys). GDPR Article 17 compliant.
- Anonymization: When a team member leaves, their personal data is anonymized. Audit trail preserved with "Deleted user."
- Retention: 7 years for audit proofs (configurable). Matches EU AI Act Article 12 requirements.
Vulnerability Reporting
If you discover a security vulnerability, please report it to security@softure-ug.de. We aim to acknowledge reports within 24 hours and resolve critical issues within 72 hours.
Compliance Assistance
Aira generates compliance evidence for:
- EU AI Act — Article 12 logging, Article 6 right-to-explanation, Article 9 risk categories, Annex IV technical documentation
- DORA — Incident reporting, third-party risk register, resilience testing
- GDPR — Automated decision transparency (Article 22), hash-only data minimization
- SOC 2 — Audit trail for CC7 (system operations), CC6 (logical access)
- SR 11-7 — Multi-model validation for financial institutions
- ISO 42001 — AI management system compliance bundles
Aira helps you achieve compliance with these frameworks. Aira itself is not SOC 2 or ISO 27001 certified. We are pursuing SOC 2 Type I certification.