Security

Danaya is built on a modern, secure architecture designed for reliability and performance.

• •Frontend hosted on Vercel with automatic HTTPS and edge caching
• •Backend REST API running on isolated Node.js instances
• •MongoDB Atlas database with encryption at rest and automated backups
• •Stateless API design — no session data stored on servers
• •Environment variables managed via secure vaults, never committed to code

Every seal created on Danaya relies on strong cryptographic primitives to guarantee media integrity.

• •SHA-256 hashing of media files for tamper-proof fingerprints
• •HMAC signatures to bind metadata (GPS, timestamp, device) to each seal
• •All communications encrypted via HTTPS/TLS 1.2+
• •Passwords hashed with bcrypt (salted, 12 rounds)
• •API keys generated with cryptographically secure random bytes

We use industry-standard mechanisms to verify identity and control access to resources.

• •JWT-based authentication with short-lived access tokens
• •Refresh token rotation to limit exposure on token theft
• •API key authentication for programmatic access with per-key scoping
• •Rate limiting on all endpoints (configurable per plan)
• •Account lockout after repeated failed login attempts

Your data is stored on certified infrastructure with strong availability and durability guarantees.

• •MongoDB Atlas hosted on AWS with SOC 2 and ISO 27001 certification
• •Automated daily backups with point-in-time recovery
• •Frontend and serverless functions hosted on Vercel (SOC 2 compliant)
• •Media files processed in memory and discarded after sealing — not stored on our servers
• •Verification data (hashes, metadata) stored long-term for seal validation

Danaya is designed to respect your rights under European and international data protection regulations.

• •GDPR-compliant data processing — minimal data collection, purpose limitation
• •LCEN compliance (French Digital Economy Confidence Act) with full legal notice
• •Right to access, rectify, and delete your personal data at any time
• •Data portability — export your seals and verification history
• •Cookie consent management with opt-in analytics
• •Data Processing Agreement (DPA) available for enterprise customers

We have processes in place to detect, respond to, and communicate about security incidents promptly.

• •24-hour incident response commitment for critical security issues
• •Automated monitoring and alerting on suspicious activity
• •Post-incident review and root cause analysis for every event
• •Affected users notified within 72 hours as required by GDPR
• •Continuous improvement of security measures based on findings

If you discover a vulnerability or have a security concern, please contact us immediately at: