Security
How Arara protects your account, your purchases, and your devices.
Last updated: June 2026
App Security Review
Every app submitted to Arara undergoes a manual security review before appearing in the store. Our review checks for malware, spyware, unauthorized network calls, deceptive behavior, and compliance with our content policies. Apps are also scanned automatically on each release using ClamAV and VirusTotal before the new version goes live.
Account Security
- ▸Passwords are never stored — we use passwordless magic link login (Supabase Auth)
- ▸GitHub OAuth login uses the official OAuth 2.0 flow — Arara never sees your password
- ▸Session tokens are HTTP-only, Secure, and rotate on each request
- ▸All API endpoints validate sessions server-side via cryptographic token verification
- ▸License keys are unique per purchase and cannot be transferred between accounts
Infrastructure
- ▸Platform hosted on Vercel Edge Network (SOC 2 Type II)
- ▸Database on Supabase (SOC 2 Type II, ISO 27001)
- ▸All data encrypted at rest (AES-256) and in transit (TLS 1.3)
- ▸Row Level Security (RLS) enforced on all database tables
- ▸No customer payment data stored on Arara servers — processed entirely by Whop
Bug Bounty
We take security reports seriously. If you discover a vulnerability in the Arara platform, please report it responsibly before public disclosure.
Responsible Disclosure
Email security@arara.app with a description of the vulnerability, steps to reproduce, and potential impact. We acknowledge all reports within 48 hours and will coordinate a fix before any public disclosure. Significant findings are eligible for recognition and rewards.
What to Do If You Suspect Compromise
- ▸Immediately email security@arara.app
- ▸Change your linked GitHub or email password
- ▸Check your Library for any unrecognized purchases
- ▸We will revoke all active sessions and issue new credentials