// Trust & Security Report
Anara Labs, Inc (product: Anara; formerly Unriddle)
AI research assistant for scientific/document workflows (literature search, summarization, cited writing across up to 10,000 files)
Certifications held
5
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on anara.com“Independently audited against the AICPA Security Trust Services Criteria (SOC 2 Type II). Request SOC 2 → ... Our SOC 2 report covers the Security trust services criteria and is the product of an independent third-party audit.”
Verify on trust.anara.com“SOC 2 Type I — Compliant (listed under Compliance & Certifications)”
Verify on anara.com“Certified to ISO/IEC 27001:2022 for our information security management system. ... We maintain a formal information security management system under ISO 27001 with documented policies, risk assessments, and internal audits.”
Verify on anara.com“Compliant with the EU General Data Protection Regulation. ... For transfers of personal data out of the EU, we rely on Standard Contractual Clauses.”
Verify on trust.anara.com“Security page: 'Anara is HIPAA compliant and supports customers working with protected health information (PHI). ... BAA available for Enterprise customers.' BUT Trust Center lists: 'HIPAA — In Progress'. The two sources conflict; HIPAA is not an independently issued certification (it is a self-attested compliance posture / BAA offering), and the authoritative trust center marks it In Progress.”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
United States only (primarily AWS, plus Vercel, Google Cloud, Microsoft Azure, Cloudflare). No EU-only data residency available; EU transfers covered by Standard Contractual Clauses.
Anara states it never uses customer content (documents, chats, notes) to train any AI model, including aggregated/anonymized form, by default with no opt-in required. Only query-relevant passages are sent to LLM providers (OpenAI, Anthropic, Google), each under contractual no-training terms plus zero data retention (ZDR), so prompts/passages are not stored on provider systems after a request. NOTE: the consumer-facing Privacy Policy still lists 'model training purposes' among general business uses and discloses broad sharing with LLM/marketing providers, so the strong no-training guarantee is the product-data commitment in the Security page/Trust Center, not a blanket statement covering all personal data in the privacy policy.
// Security controls
Zero data retention with LLM providers
ZDR terms with all LLM providers; prompts and retrieved passages not retained after request
anara.comAccess control / MFA
Least-privilege production access with mandatory MFA; audit logging of auth events; user-level 2FA with authenticator app + backup codes
anara.comEnterprise identity
SAML SSO, SCIM user provisioning, custom user roles, admin offboarding controls (Enterprise workspaces)
anara.comHIPAA mode
PHI routed to isolated storage with dedicated access controls + signed-URL delivery; AI runs through HIPAA-eligible endpoints; dedicated audit log; BAA for Enterprise
anara.comVulnerability disclosure
Responsible disclosure via security@anara.com. No public bug-bounty program (HackerOne/Bugcrowd) found.
anara.comPenetration testing
Not explicitly stated on the security page; likely covered under SOC 2/ISO 27001 audits but no direct claim found
anara.comInfrastructure & SDLC
Infrastructure-as-code, peer-reviewed code before production, isolated private networks, object storage via short-lived signed URLs, continuous error/performance monitoring, documented BC/DR plan, status page
anara.com// Products & data scope
data: User-uploaded documents, library, notes, chats; processed in US; retrieval-augmented queries sent to OpenAI/Anthropic/Google under no-training + ZDR terms
Core product. Free/individual and team tiers.
data: Same data model as web; US processing
Listed under Tools in site footer.
data: Document viewing
Ancillary tool listed in footer.
data: Adds SAML SSO, SCIM provisioning, admin controls, HIPAA mode with isolated PHI storage, BAA availability
Distinct compliance scope: BAA and HIPAA mode are Enterprise-only; DPA available to all via anara.com/dpa.
// What to watch
- Directory slug 'unriddle' maps to the rebranded vendor 'Anara' (Anara Labs, Inc). Confirm slug/name alignment in listing.
- HIPAA conflict: homepage and security page state 'HIPAA compliant' with BAA for Enterprise, but the authoritative Trust Center lists HIPAA as 'In Progress'. HIPAA is a self-attested posture, not an issued certificate.
- SOC 2 report and ISO 27001 certificate are gated (available under NDA via the Trust Center), not publicly downloadable, so certs are self-attested on the vendor's own domain rather than independently verified by a public artifact.
- Consumer Privacy Policy lists 'model training purposes' among general business uses and broad third-party sharing; the strong no-training guarantee applies to product/library content per the Security page, a scope nuance worth surfacing.
- No public bug-bounty program (HackerOne/Bugcrowd); responsible disclosure by email only. Penetration testing not explicitly claimed.
- Large subprocessor list including multiple LLM/inference providers (OpenAI, Anthropic, Google, xAI/Grok, Fireworks, Groq, Novita) plus analytics/session-replay (PostHog) and device fingerprinting (FingerprintJS).
// At a glance
Pricing model
Freemium SaaS subscription with paid individual/team tiers and an Enterprise tier (contact sales)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Anara Labs, Inc (product: Anara; formerly Unriddle)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.anara.com