Aarunya AppsAarunya Apps

Security Policy

Last updated: June 2026

Our security architecture

Aarunya Apps is designed so that your data never reaches our servers. All processing happens inside your browser tab using WebAssembly, JavaScript, and local storage APIs. This is not a policy promise — it is an architectural guarantee.

🛡️ Zero server storage

No input from .env Sanitizer, Schema Generator, Email Signature, or AI Regex Generator is persisted on any server.

🔒 TLS everywhere

All connections to aarunyaapps.com are enforced over HTTPS/TLS 1.2+. HSTS is enabled.

🍪 No tracking cookies

We use Cloudflare Web Analytics — cookieless, GDPR-compliant, no cross-site tracking.

🌐 Content Security Policy

CSP headers restrict script sources and block inline script injection attacks.

AI Regex — what travels over the wire

The AI Regex Generator is the only tool that makes external network calls. Here is exactly what happens:

  1. You type a plain-English description of the pattern you need.
  2. That description is sent to our Cloudflare Worker proxy (ai-proxy.aarunyaapps.workers.dev), which forwards it to OpenRouter.
  3. The AI response (regex + explanation) is returned to your browser. The response is not stored.
  4. Your actual data — the strings you test against the regex — never leave your browser.

Responsible disclosure

We take security seriously. If you discover a vulnerability, please disclose it responsibly:

Contact: security@aarunyaapps.com

  • • Include a description of the vulnerability and reproduction steps.
  • • Allow reasonable time (90 days) for us to investigate and patch before public disclosure.
  • • We will acknowledge your report within 48 hours.
  • • We do not have a formal bug bounty program at this time, but we will credit researchers who help us improve security.

Scope

In-scope for disclosure:

  • aarunyaapps.com and www.aarunyaapps.com
  • ai-proxy.aarunyaapps.workers.dev
  • og-fetcher.aarunyaapps.workers.dev

Out of scope:

  • Denial of service attacks
  • Social engineering of Aarunya staff
  • Third-party services (Cloudflare, OpenRouter infrastructure)

Pro data storage

Pro subscribers can save tool outputs. The storage model is entirely client-side:

  • Storage medium: Browser IndexedDB — survives page reload, cleared when you clear browser data.
  • Encryption: AES-GCM, 256-bit. The encryption key is derived from a device-local UUID stored in localStorage.
  • No server sync: Saved outputs are never transmitted to Aarunya servers. We technically cannot read them.
  • Key revocation: Clearing your browser storage permanently deletes all saved outputs. There is no recovery path.

API Access (coming — Team plan)

The Team plan will include REST API access to select tools. Architecture:

Auth model

API key per Team account, stored in Cloudflare KV. Keys are validated in the Worker on every request — never exposed client-side.

Rate limits

Pro: 100 req/day · Team: 1,000 req/day. Enforced at the Worker level with KV counters per API key.

Endpoints (planned)

POST /api/v1/sanitize (.env Sanitizer) · POST /api/v1/schema (Schema Generator). No AI endpoints in v1.

Data handling

API request payloads are processed in-memory and not logged. No payload persistence on any storage layer.

Third-party services

Aarunya Apps uses the following third-party services. Each has its own security and privacy policy:

  • Cloudflare (CDN, Workers, Web Analytics)
  • OpenRouter (AI model routing — only used by AI Regex Generator)
  • Paddle (payment processing — for Pro and Team plans)
Questions about security? security@aarunyaapps.com · Privacy Policy