Security
Last updated May 2026
Anara is trusted by the teams behind work that is audited, submitted, and defended: regulatory and medical affairs in pharma and biotech, clinical and healthcare organizations, and the consultancies that support them. When your research has to clear a regulator, a client, or your own security team, how we handle your data matters as much as the answers we return. We hold the certifications enterprise procurement requires, encrypt your data in transit and at rest, and never use it to train AI models. The sections below detail how we protect your data at every layer. You can also browse all of our compliance documentation in our Trust Center.
Independently audited against the AICPA Security Trust Services Criteria (SOC 2 Type II). Request SOC 2 →
Certified to ISO/IEC 27001:2022 for our information security management system. Request ISO 27001 →
Compliant with the EU General Data Protection Regulation.
Safeguards for protected health information. BAA available for Enterprise customers. Request BAA →
Certifications and third-party assessments
Anara is SOC 2 Type II and ISO/IEC 27001:2022 certified, and compliant with GDPR and HIPAA. Our SOC 2 report covers the Security trust services criteria and is the product of an independent third-party audit. We maintain a formal information security management system under ISO 27001 with documented policies, risk assessments, and internal audits.
Current customers and qualified prospects can access our SOC 2 report, ISO 27001 certificate, and other compliance documentation through our Trust Center.
Model training and data retention
Anara never uses your data to train AI models. Not your documents, not your chats, not in aggregated or anonymized form. This is the default for every account, not a setting you have to find and enable. We also never sell your data or share it with third parties for their own purposes.
Anara answers questions by retrieving the passages relevant to your query and sending only those to the AI provider that generates the response. Your full library never leaves our systems for this. We use OpenAI, Anthropic, and Google as model providers, and our agreement with each one contractually prohibits using your inputs or outputs to train or improve their models.
We operate under zero data retention (ZDR) terms with all of our LLM providers. Once a request is processed, your prompts and the retrieved passages are not retained on their systems. They exist only for the moment it takes to generate your answer.
Encryption
All data is encrypted in transit with TLS 1.2 or higher and encrypted at rest with AES-256. This covers your uploaded documents, the text and embeddings we derive from them, your notes and chats, and everything stored in our databases and object storage.
Infrastructure security
Anara runs on established United States cloud infrastructure: Amazon Web Services as our primary platform, alongside Vercel, Google Cloud, Microsoft Azure, and Cloudflare. We do not host or process data outside this vetted set of providers.
Application services run in isolated private networks. Stored files are kept in object storage that is not publicly accessible and is served only through short-lived signed URLs. Our infrastructure is defined and managed as code, so every change is version-controlled, reviewed, and reproducible.
Application and access security
Internal access to production systems follows the principle of least privilege and requires multi-factor authentication. Security-relevant events, including authentication and two-factor changes, are recorded in an audit log.
Every user can turn on two-factor authentication using an authenticator app with backup codes. Enterprise workspaces add single sign-on (SSO) over SAML, SCIM user provisioning, and admin controls so security teams can manage access and offboarding centrally. We also use device fingerprinting to detect and block fraudulent account activity.
Healthcare data and HIPAA
Anara is HIPAA compliant and supports customers working with protected health information (PHI). When HIPAA mode is enabled for an organization, PHI is routed to isolated storage with its own access controls and signed-URL delivery, AI processing runs through HIPAA-eligible model endpoints, and sensitive events are written to a dedicated audit log.
We provide a Business Associate Agreement (BAA) for Enterprise customers who handle PHI. Contact us through the Trust Center to request one.
Data ownership and deletion
Your content is yours. You can export your library at any time, and you can delete files, notes, or an entire workspace from your settings. When you delete a workspace, its data is removed from our systems.
Under GDPR and similar regulations, you can request access to or erasure of your personal data by emailing support@anara.com.
Data residency and subprocessors
Anara processes data in the United States. We rely on a vetted set of subprocessors to operate the service, each held to our security and privacy requirements. You can review them on our subprocessors page.
A Data Processing Agreement (DPA) is available for signature at anara.com/dpa, where you can review and sign it online. For transfers of personal data out of the EU, we rely on Standard Contractual Clauses.
Business continuity and reliability
We maintain a documented business continuity and disaster recovery plan with defined recovery objectives, and our databases are backed up automatically. Live system status and incident history are published at status.anara.com.
Secure development and monitoring
Changes to Anara go through a secure development lifecycle. Code is peer reviewed before it reaches production, and infrastructure changes are version-controlled and reviewed the same way.
We continuously monitor production with error and performance tracking, so we detect and respond to issues quickly. Sensitive workloads run in isolated, sandboxed environments separated from the rest of the system.
Reporting a vulnerability
We welcome responsible disclosure from the security community. If you believe you have found a security vulnerability, please email security@anara.com with the details. We investigate every report, keep you updated on our progress, and notify affected customers of any confirmed incident.
Frequently asked questions
No. Anara never uses your documents, notes, chats, or any other user content to train AI models, including our own. This is the default for every account, with nothing to opt into. Your content is used only to answer your questions.
To answer a question, Anara sends only the passages relevant to your query, not your whole library, to the AI provider that generates the response. We use OpenAI, Anthropic, and Google. Our agreement with each provider contractually prohibits training on your inputs or outputs, and we operate under zero data retention (ZDR) terms, so your data is not stored on their systems once a request is processed.
Yes. All data is encrypted in transit with TLS 1.2 or higher and at rest with AES-256. This covers your uploaded documents, the text and embeddings we derive from them, your notes and chats, and everything in our databases and object storage.
Anara processes and stores data in the United States, primarily on Amazon Web Services, with Vercel, Google Cloud, Microsoft Azure, and Cloudflare. EU-only data residency is not available today. For transfers of EU personal data we rely on Standard Contractual Clauses, and a DPA is available for signature at anara.com/dpa.
Anara is SOC 2 Type II and ISO/IEC 27001:2022 certified, and compliant with GDPR and HIPAA. You can request our SOC 2 report, ISO 27001 certificate, and other compliance documentation through our Trust Center, where they are available under NDA.
Yes. Anara supports customers working with protected health information (PHI), and we provide a Business Associate Agreement (BAA) for Enterprise customers. When HIPAA mode is enabled, PHI is routed to isolated storage with its own access controls and AI processing runs through HIPAA-eligible endpoints. Request a BAA through our Trust Center.
Yes. A Data Processing Agreement is available for signature at anara.com/dpa. For transfers of personal data out of the EU, we rely on Standard Contractual Clauses.
Our AI providers are OpenAI, Anthropic, and Google, each under a no-training, zero data retention agreement. Our subprocessors, including hosting and infrastructure providers, are listed on our subprocessors page.
Your library is private to you and to the people you explicitly share folders with, and we never share your content with other customers. Internal access to production systems is restricted on a least-privilege basis, requires multi-factor authentication, and is logged.
Yes. You can delete files, notes, or an entire workspace from your settings, and deleted workspace data is removed from our systems. You can also request erasure of your personal data under GDPR by emailing support@anara.com.
Yes. Enterprise workspaces include single sign-on (SSO) over SAML, SCIM user provisioning, and admin controls for centralized access management and offboarding. Every user can also enable two-factor authentication with an authenticator app.
Visit our Trust Center to request our SOC 2 report, ISO 27001 certificate, DPA, and other documentation, or email security@anara.com. We are happy to support your security questionnaire and review process.