Security and privacy are being built into Cairn before broad launch

Local-first design

Core project memory is stored locally on the user device. Local storage reduces unnecessary cloud exposure for saved transcripts, projects, reports, chat history, todos, calendar records, and settings. Device security still matters: users should protect devices with OS-level locks, encryption, and backups.

Authentication

Supabase Auth is used for account sessions. Google OAuth and email OTP flows are present in the product. Authenticated agent and billing operations require a Supabase session.

Cloud services and data in transit

Supabase supports authentication, agent chat edge functions, usage records, billing records, and payment-link workflows. Razorpay is used for payment checkout when paid plans are enabled. AI providers process selected content when users request transcription, chat, cleanup, image understanding, reports, or planning.

Cloud requests are made over HTTPS to service providers. Cairn does not currently claim end-to-end encryption.

AI processing controls

Users choose when to record, upload, transcribe, or ask the assistant. Selected memory context is included in assistant requests when the user chooses a memory scope. The app should make context choice visible so users understand what is being sent.

Roadmap boundaries

Team/admin controls, SSO, audit logs, retention settings, enterprise rollout support, and compliance programs should be treated as roadmap or enterprise conversation items unless implemented and verified. Cairn does not currently claim SOC 2, HIPAA, GDPR compliance, zero retention by all providers, or enterprise-grade audit logs.

Responsible disclosure

If you believe you found a security issue, contact security@cairn.prepx.space. Include steps to reproduce and avoid accessing data that is not yours.