Security

Built for teams who take security seriously

Hadarac generates synthetic data — meaning no real PII ever enters our systems. Everything else we do is defence-in-depth.

SOC 2 Type II
via Supabase infra
GDPR Ready
EU & UK compliant
0 day retention
delete anytime
TLS 1.3
all data in transit

Encryption at rest & in transit

  • All data encrypted at rest with AES-256 via Supabase Storage
  • All API traffic and dashboard communication uses TLS 1.3
  • Dataset files stored in private, access-controlled storage buckets
  • Database connections enforce SSL at the driver level

No data retention

  • We do not store any of your input prompts or schema descriptions beyond the session
  • Generated datasets are stored only in your own project scope — inaccessible to Hadarac staff
  • You can delete any dataset or your entire account at any time from the dashboard
  • Account deletion triggers immediate hard-delete of all associated data

SOC 2 & compliance

  • Hadarac is built on Supabase, which holds SOC 2 Type II certification
  • Our infrastructure inherits Supabase's security posture and audit trails
  • Access to production systems is restricted to named engineers and logged
  • We are working towards our own SOC 2 Type II certification (target: Q4 2026)

GDPR readiness

  • Hadarac is GDPR-compliant by design — we generate synthetic data, not process real PII
  • You remain the data controller for any data you upload (e.g. for Redact)
  • Data Processing Agreements (DPAs) available for Team and Enterprise customers on request
  • EU data residency available — your data can stay within the EU at all times

Data residency

  • Choose EU (Frankfurt) or US (N. Virginia) data residency at account creation
  • No cross-region data transfer without explicit consent
  • Enterprise customers can request dedicated regional infrastructure
  • Data sovereignty documentation provided on request for procurement teams

Access control & authentication

  • Authentication powered by Supabase Auth with bcrypt password hashing
  • JWT-based session tokens with 1-hour expiry and secure refresh rotation
  • Multi-factor authentication (MFA) available for all accounts
  • Row-level security (RLS) enforced at the database layer — users see only their data

Found a vulnerability?

We operate a responsible disclosure policy. Please report security issues to our security team and we'll respond within 24 hours.

security@hadarac.com

Enterprise procurement questions? Talk to sales → or download our security questionnaire