oorja built with your privacy in mind, ensuring the content and communications stay confidential among collaborating users.
- All content-data is encrypted in transit and rest. By content-data we mean chat-messages, diagrams, code, terminal-stream-text or any data created among room-participants using the collaborative apps.
- Content-data is synced among participants using secure transports (TLS) when they are online in the room. Content-data is also end-to-end encrypted using 128-bit AES-GCM: oorja servers, and even trusted certificate authorities cannot read into it without the secret key (kept is room's secret link's fragment. The application does not send the secret key to any server or third party).
It is the responsibility of the room-participants to share room-links with trusted peers over trusted channels.
- Collaborative apps store content-data on users personal devices (browser storage) encrypted with room-key.
To facilitate collaboration in scenarios where participants are online at different times, content-data is also uploaded to the server as an encrypted snapshot and synced to the participants when they come back online.
- Some apps may involve use of external APIs (eg. GPT configured with OpenAI), in such cases the room host must authorize the app to use the API. Such apps will ask for your consent before accessing any other content in the room. (Eg. GPT app asks for consent to view diagrams in the whiteboard app)
- Media comms (camera, mic, screen) are end to end encrypted using the room key.
- Voice transcriptions if enabled require explicit consent. (eg. in the GPT app). When enabled the audio clip is sent from your device to our server for processing (encrypted but not e2ee anymore since computer needs to process this). The audio is not stored on the server. We use in-house speech-to-text models, no external APIs are involved.
- We provide a secure vault (dashboard) for users to store private information like room keys. This vault is protected using strong 256-bit AES-GCM encryption, with a key created from the user's password. The password never leaves your device, and all vault changes are made on-device. If you lose or forget your password, you won't be able to access your vault. The encrypted version of the vault syncs to our server, enabling access from multiple devices while maintaining security.
- How do you collect, store and secure user data ?We collect the user's email and profile from the identity provider they choose during sign-in - Google/Github. There can be other identity providers in the future. The sign-in process is used as an authentication challenge (to prove you're not a robot), to ensure fair-use, or payment accounting if any. Your email is not visible to the room participants you collaborate with, however if you use email sign-in, the part of your email before the @ is visible to the room (set as your name).
Data is stored within the US, and not shared with any third party. There are no ads or tracking on this website.
- Payment processingStripe for Payment Processing: We use Stripe, a leading online payment service provider, to process payments made through our app. Stripe specializes in secure online transactions. Please note that we do not store or have access to your credit card details. This information is directly managed by Stripe, which adheres to the highest industry standards for data security and privacy. For more information on Stripe’s security practices, please visit their website.
- How can users access, update or request the deletion of any personal data collected about them.You can email firstname.lastname@example.org from the email you used to sign-up.
- Is my IP address accessible to other participants in the room?No
- How users are notified of updates to the policy ?While we don't see policy values changing, we're working on notifications so that users are up to date on any minute changes.
- Contact details, so that users can make enquiries about their data, submit a privacy complaint, or submit a security vulnerability report.You can email email@example.com
- Still paranoid?We understand. As a business you may have certain requirements. We offer on-premise and tailored solutions. Contact us. Not a business? You can still self-host by purchasing a license.