Security & Privacy
Iara Data is built with security and privacy at its core. This page explains how we protect your data and the measures in place.
Data Protection
Encryption
| Layer | Protection |
|---|---|
| In Transit | All communications use TLS 1.3 encryption (HTTPS) |
| At Rest | Data stored in the data warehouse is encrypted using AES-256 |
| API Keys | Hashed with bcrypt — we never store plain-text keys |
| Passwords | Hashed with bcrypt + salt |
Data Isolation
Each tenant's data is completely isolated through:
- Separate database schemas per tenant
- Separate data namespaces
- Row-level security on shared tables
- JWT tokens scoped to tenant ID
No tenant can ever access another tenant's data.
PII Protection��
The platform automatically detects and protects personally identifiable information (PII):
Auto-Detection
| PII Type | Detection Method |
|---|---|
| Email addresses | Pattern matching (user@domain.com) |
| Phone numbers | International format patterns |
| CPF | Brazilian individual tax ID (11 digits with check) |
| CNPJ | Brazilian company tax ID (14 digits with check) |
| Credit cards | Luhn algorithm validation |
How PII Is Handled
- Detection — Columns are automatically flagged as PII during upload analysis
- Masking — PII values are masked in query results (e.g.,
j***@example.com) - Manual Override — You can mark additional columns as PII in the dataset editor
- Audit Trail — All PII access is logged in the audit log
Authentication & Authorization
Authentication Methods
| Method | How It Works |
|---|---|
| Email + Password | Standard login via the web interface |
| Invitation Links | Secure token-based invite acceptance |
| API Keys | Bearer token authentication for programmatic access |
| SSO/SAML | Available on Business plan — federated authentication |
Authorization
Access is controlled through:
- Roles — Admin, Developer, Analyst, Billing (see Team & Roles)
- Scopes — Fine-grained permissions (e.g.,
ingest:write,kpi:read) - Tenant isolation — JWT tokens enforce tenant boundaries
Idempotency & Data Integrity
All mutating API operations support idempotency keys to prevent duplicate operations. This ensures data integrity even during network retries.
Rate Limiting
API endpoints are rate-limited per plan to prevent abuse:
| Plan | Requests/minute |
|---|---|
| Free | 30 |
| Starter | 60 |
| Growth | 120 |
| Business | 300 |
Rate-limited requests receive a 429 Too Many Requests response with X-RateLimit-Reset header indicating when to retry.
Audit & Compliance
- Full audit logging of all significant actions (see Audit Log)
- Immutable audit trail — records cannot be modified or deleted
- LGPD/GDPR compliance — PII detection, masking, and data isolation
- Data export — Users can export their data at any time
Infrastructure Security
| Measure | Description |
|---|---|
| Cloud hosting | GCP (Google Cloud Platform) with regional data residency |
| Container isolation | Each service runs in isolated containers |
| Network security | Internal services communicate over private VPCs |
| Dependency scanning | Automated vulnerability scanning of all dependencies |
| Secrets management | No secrets in code — all via environment variables |
Reporting vulnerabilities: If you discover a security issue, please email security@iaradata.com. We will investigate and respond within 24 hours.