// Trust & Security Report

    Anara Labs, Inc (product: Anara; formerly Unriddle) logo

    Anara Labs, Inc (product: Anara; formerly Unriddle)

    AI research assistant for scientific/document workflows (literature search, summarization, cited writing across up to 10,000 files)

    Certifications held

    5

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Independently audited against the AICPA Security Trust Services Criteria (SOC 2 Type II). Request SOC 2 → ... Our SOC 2 report covers the Security trust services criteria and is the product of an independent third-party audit.

    Verify on anara.com
    SOC 2 Type I
    HELD

    SOC 2 Type I — Compliant (listed under Compliance & Certifications)

    Verify on trust.anara.com
    ISO/IEC 27001:2022
    HELD

    Certified to ISO/IEC 27001:2022 for our information security management system. ... We maintain a formal information security management system under ISO 27001 with documented policies, risk assessments, and internal audits.

    Verify on anara.com
    GDPR
    HELD

    Compliant with the EU General Data Protection Regulation. ... For transfers of personal data out of the EU, we rely on Standard Contractual Clauses.

    Verify on anara.com
    HIPAA
    HELD

    Security page: 'Anara is HIPAA compliant and supports customers working with protected health information (PHI). ... BAA available for Enterprise customers.' BUT Trust Center lists: 'HIPAA — In Progress'. The two sources conflict; HIPAA is not an independently issued certification (it is a self-attested compliance posture / BAA offering), and the authoritative trust center marks it In Progress.

    Verify on trust.anara.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States only (primarily AWS, plus Vercel, Google Cloud, Microsoft Azure, Cloudflare). No EU-only data residency available; EU transfers covered by Standard Contractual Clauses.

    Anara states it never uses customer content (documents, chats, notes) to train any AI model, including aggregated/anonymized form, by default with no opt-in required. Only query-relevant passages are sent to LLM providers (OpenAI, Anthropic, Google), each under contractual no-training terms plus zero data retention (ZDR), so prompts/passages are not stored on provider systems after a request. NOTE: the consumer-facing Privacy Policy still lists 'model training purposes' among general business uses and discloses broad sharing with LLM/marketing providers, so the strong no-training guarantee is the product-data commitment in the Security page/Trust Center, not a blanket statement covering all personal data in the privacy policy.

    // Security controls

    Encryption in transit

    TLS 1.2 or higher

    anara.com

    Encryption at rest

    AES-256

    anara.com

    Zero data retention with LLM providers

    ZDR terms with all LLM providers; prompts and retrieved passages not retained after request

    anara.com

    Access control / MFA

    Least-privilege production access with mandatory MFA; audit logging of auth events; user-level 2FA with authenticator app + backup codes

    anara.com

    Enterprise identity

    SAML SSO, SCIM user provisioning, custom user roles, admin offboarding controls (Enterprise workspaces)

    anara.com

    HIPAA mode

    PHI routed to isolated storage with dedicated access controls + signed-URL delivery; AI runs through HIPAA-eligible endpoints; dedicated audit log; BAA for Enterprise

    anara.com

    Vulnerability disclosure

    Responsible disclosure via security@anara.com. No public bug-bounty program (HackerOne/Bugcrowd) found.

    anara.com

    Penetration testing

    Not explicitly stated on the security page; likely covered under SOC 2/ISO 27001 audits but no direct claim found

    anara.com

    Infrastructure & SDLC

    Infrastructure-as-code, peer-reviewed code before production, isolated private networks, object storage via short-lived signed URLs, continuous error/performance monitoring, documented BC/DR plan, status page

    anara.com

    Status page

    https://status.anara.com

    anara.com

    // Products & data scope

    Anara WebWeb app (AI research assistant)

    data: User-uploaded documents, library, notes, chats; processed in US; retrieval-augmented queries sent to OpenAI/Anthropic/Google under no-training + ZDR terms

    Core product. Free/individual and team tiers.

    Anara DesktopDesktop app

    data: Same data model as web; US processing

    Listed under Tools in site footer.

    Lector ViewerDocument/PDF viewer tool

    data: Document viewing

    Ancillary tool listed in footer.

    Anara Enterprise workspacesEnterprise tier

    data: Adds SAML SSO, SCIM provisioning, admin controls, HIPAA mode with isolated PHI storage, BAA availability

    Distinct compliance scope: BAA and HIPAA mode are Enterprise-only; DPA available to all via anara.com/dpa.

    // What to watch

    • Directory slug 'unriddle' maps to the rebranded vendor 'Anara' (Anara Labs, Inc). Confirm slug/name alignment in listing.
    • HIPAA conflict: homepage and security page state 'HIPAA compliant' with BAA for Enterprise, but the authoritative Trust Center lists HIPAA as 'In Progress'. HIPAA is a self-attested posture, not an issued certificate.
    • SOC 2 report and ISO 27001 certificate are gated (available under NDA via the Trust Center), not publicly downloadable, so certs are self-attested on the vendor's own domain rather than independently verified by a public artifact.
    • Consumer Privacy Policy lists 'model training purposes' among general business uses and broad third-party sharing; the strong no-training guarantee applies to product/library content per the Security page, a scope nuance worth surfacing.
    • No public bug-bounty program (HackerOne/Bugcrowd); responsible disclosure by email only. Penetration testing not explicitly claimed.
    • Large subprocessor list including multiple LLM/inference providers (OpenAI, Anthropic, Google, xAI/Grok, Fireworks, Groq, Novita) plus analytics/session-replay (PostHog) and device fingerprinting (FingerprintJS).

    // At a glance

    Pricing model

    Freemium SaaS subscription with paid individual/team tiers and an Enterprise tier (contact sales)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Anara Labs, Inc (product: Anara; formerly Unriddle)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.anara.com

    > Browse all vendor trust reports