Haven / Security & Privacy

Private by design. Encrypted by default.

Haven is the browser-side surface of MindooDB's trust model. Data is encrypted on the client before it ever reaches a server, apps run in sandboxes with granular permissions, and you choose where the data actually lives.

Try the free beta MindooDB Security Model →
Encryption model

Keys stay on the client

Haven builds on MindooDB's end-to-end encryption. Documents, attachments, and history are encrypted on your device before they leave it. Servers - including the Mindoo demo server and any server you run yourself - only store ciphertext.

  • Client-side keys under user control, never uploaded as plaintext.
  • No plaintext passes through Haven, the sync server, or the hosting infrastructure.
  • Signed, append-only history inherited from MindooDB core.
  • Content-addressed sync exchanges only the encrypted entries a device is missing.

See the MindooDB Security Model and Architecture for the full cryptographic design that Haven consumes.

Trust model

Keys stay on your devices

Haven tenant management view showing tenant-level context
Tenants keep data boundaries clear

Haven shows tenant-level context while MindooDB keeps the encrypted data model separated by the tenant a user is working in.

1 2
Tenant lifecycle

Start local, publish when you are ready

Haven does not force you onto a server on day one. You can create the full MindooDB world locally and bring people in later, under your terms.

Create locally

Generate users, admins, tenants, and databases entirely in the browser - even offline. No desktop install, no account required.

Work offline

Keep editing while the network is gone. Haven resumes sync automatically when connectivity returns.

Publish a tenant

When a tenant is ready for collaboration, push it to a MindooDB server and invite members through a guided onboarding flow.

Secure onboarding

Tenant access and required encryption keys are shared through the onboarding flow, not copy-pasted out of band.

Sync flexibility

Push-only, pull-only, or bidirectional

Haven Sync page listing tenant databases with direction indicators and a Sync menu open on the Docs only, no attachments option
Sync page: per-database push-only, pull-only, or bidirectional sync, with the option to transfer documents only or documents plus attachments.

Each Haven-to-server connection can be configured independently. Pick the mode that matches your workflow:

  • Push-only - publish changes upstream, for example from a field device to a central archive.
  • Pull-only - read from a server without contributing local changes, for reporting or read-only clients.
  • Bidirectional - full two-way collaboration for everyday teamwork.

Because MindooDB's wire format is content-addressed, sync always transfers only the encrypted entries a peer is missing - no matter which mode you pick.

Backup

Built-in backup for in-browser data

Haven ships with a backup function for the data stored locally in the browser. Use it to keep offline tenants safe, snapshot a state before risky operations, or migrate between devices.

  • One-click backup of the current Haven instance's data.
  • Works locally even without a server connection.
  • Complements server sync when you run a MindooDB server yourself.
  • Automatic backup is planned for Haven Enterprise.
Haven Preferences backup tab for downloading encrypted backups, restoring from backup, and factory reset
Backup page: export encrypted browser data, restore from a backup file, or factory reset the local Haven instance.
App sandboxing

Apps only see what you grant them

Security diagram

App sandbox and permissions

Haven application properties panel showing logical database mappings for an app
Configure app data sources

Applications bind to logical database IDs, so the concrete tenant or database can be switched through configuration as environments move from testing to QA to production.

1 6

Apps in Haven are strictly isolated. They cannot reach Haven's storage, your other apps, or data you have not explicitly shared.

  • Sandboxed iframes on separate origins for every app.
  • Opaque-origin sandbox for Haven-hosted app bundles served by the service worker.
  • No shared storage - all data flows through the Haven bridge under explicit consent.
  • Capability-based permissions covering read, create, update, delete, history, attachments, and view creation.
  • Per-app scoping - apps only see the databases and views you grant them.
Change intelligence

Explain collaboration, do not hide it

DAG explorer

Navigate a document's full change history as a graph. See who changed which fields, when, and how Automerge's merge logic combined concurrent edits. Great for debugging and provenance.

  • Authorship and field-level attribution across merges.
  • Helps explain CRDT behavior to users without hand-waving.
  • Useful for audits and compliance narratives.
Virtual Views

A secure analytical layer on top of encrypted data. Filter, categorize, sort, and aggregate documents across a database, multiple databases, or multiple tenants - all evaluated under the same permission model.

  • Operational dashboards, rollups, and worklists without exposing raw data.
  • Haven and apps can share views or define their own.
  • Column formulas, filters, and derived structure through a typed builder.
DAG Explorer and Virtual Views: inspect document history, then build categorized views across encrypted databases.
Haven DAG Explorer showing a document's merge history and materialized document state
DAG Explorer The DAG Explorer explains collaboration history: who changed which fields, when changes happened, and how the document state materializes at a selected point in time.
Haven Virtual Views result surface showing a multi-level categorized contacts view across two databases
Virtual Views result surface A multi-level categorized view combines contacts from two contacts databases in different tenants. Selected rows can be exported as an XLSX file.
Haven Virtual Views designer showing expressions for computing categories, columns, creation dates, and origin databases
Virtual Views designer This long screenshot is scrollable. It shows how a Virtual View is designed with Haven's view expression language, computing values from document metadata and fields such as the first character of the lastname, the document creation date, or the origin database.
Where your data lives

Three topologies, one client

Haven Community supports every mode out of the box. You can move between them without changing clients - only the connection target changes.

Local only
Fully in the browser

Tenants stay on the device. No server, no sync, no account. Perfect for personal notes, drafts, or offline demos.

  • Zero infrastructure.
  • Ideal for evaluation and single-user use.
  • Pair with Haven's built-in backup for safety.
Mindoo demo server
Try team features

Push a local tenant to the hosted Mindoo demo server and invite real collaborators over real sync.

  • Fastest way to experience multi-user Haven.
  • Data on the demo server is wiped periodically.
  • Use it for evaluation, not for production data.
Self-hosted
Your own MindooDB server

Run your own MindooDB server and point Haven at it. You keep ciphertext; Haven stays the same client.

Try the free beta Pricing & support MindooDB architecture