Most of the services we use every day share one thing in common: we trust them with far more than they have earned. Email, phone number, location history, shopping habits, contacts, photos — all of it sits somewhere on someone else's servers, often in plain or barely-protected form. And when the next breach happens, we usually learn about it from the news, not from the company we trusted with our data.
DAPITA is built differently. And that difference does not start with a product — not with a marketplace, not with a travel service, not with a mobile app — but with a single point of entry: auth.dapita.net. This is not just a login screen. It is the infrastructural foundation on which the entire ecosystem stands, and at the same time it is a personal dashboard where each user can literally see who, when, and from where logged into their account, which devices are connected, and which sessions are active right now.
One door, many rooms
The idea behind DAPITA is simple: instead of registering on ten different services, keeping ten different passwords, and leaving traces of your data in ten different databases, a person creates one account — and that account opens the door to everything at once.
The ecosystem today already includes several live and upcoming directions: DAPITA Core (a self-hosted business platform), algo.dapita.net (a multi-AI platform for teams and developers), baas.dapita.net (Backend-as-a-Service for internal and external use), and other services that extend the same logic. All of them are connected to auth.dapita.net through a Single Sign-On system — a person logs in once, and from there moves between products without entering passwords again.
This sounds like convenience — and it is. But behind that convenience sits something far more important: a single point of control. If you have one account, then there is one place where you can see everything: where you are logged in, which devices are connected, which apps have access to your data, which subscriptions are active. And one place where you can revoke all of it with a single click.
Security you can see
Most services hide security from the user. "We use encryption" sounds reassuring, but you cannot verify it, you cannot influence it, and you cannot even understand what exactly is encrypted. DAPITA Security is built the other way around: security here is not an invisible layer, but an interface the user works with directly.
In the personal dashboard at auth.dapita.net every user can see:
- Security Score — a visual rating of how protected the account is. Weak password, missing two-factor authentication, old active sessions — all of it lowers the score and is highlighted as something worth fixing.
- Active sessions with device, browser, operating system, IP address, and country shown. Any of them can be revoked in a single click. Logged in from someone else's laptop and forgot to sign out? Close that session from your phone.
- Login history — who logged in and from where, successfully or not. The free tier shows the last 10 records; premium shows full history.
- Password, MFA, and passkey management — the modern replacement for passwords, where the user's device confirms identity by biometrics or PIN. No SMS codes, no email codes.
- Suspicious-login alerts — on premium tiers, you can configure alerts for logins from new devices, new countries, or unusual patterns.
- IP and country whitelisting — on the Dapitium plan, you can completely block logins from anywhere except explicitly allowed countries or IP addresses.
And most importantly — data export and account deletion. These are not buried in the basement of a settings menu, only reachable through customer support. They are two buttons in the dashboard. Want to leave? Take your data and go, no bureaucracy.
Under the hood, in plain English
On the technical side DAPITA relies on principles that are considered the gold standard in the industry but are rarely brought together in a single product.
Passwords are never stored in plain text — that is obvious. But here the password hashes are not done casually either: we use Argon2id, an algorithm specifically designed to make password cracking infeasible even on expensive hardware. It is slow by design — every login takes a fraction of a second, and that is fine — because an attacker who steals the database spends millions of years on the brute-force.
Email and phone are also not stored in plain text. They are encrypted via HashiCorp Vault — a separate server holding the keys, physically isolated from the main application. Even if someone gets access to the database, they will see encrypted values they cannot link to real addresses without access to Vault. And Vault, in turn, requires its own authentication.
User lookup by email is its own story. To allow login by email without storing it in plain text, DAPITA uses HMAC hashing with a secret "pepper" (also stored in Vault). This makes it possible to verify "does this email exist" without being able to recover the original email from the database.
Session tokens are short-lived. Access tokens live 15 minutes; refresh tokens live 30 days, and every refresh token is bound to a specific device and IP. If someone steals a token — it works for 15 minutes at most, and then it needs a refresh, which immediately surfaces any anomaly.
Databases are sharded by country — DAPITA runs more than 240 separate databases, and a European user's data physically lives in Europe, a Latin American user's data lives in their region, and so on. This is not just performance — it is GDPR compliance in fact, not on paper: data does not cross jurisdictional borders unless it absolutely has to.
All of this runs fast. Simple token checks — over 5,000 requests per second on a single server. Login is rate-limited at around 80 requests per second — not because the system is weak, but precisely because Argon2 is intentionally slow. That is the price security always pays for resistance to brute-force, and DAPITA pays it on purpose.
Privacy as a setting, not a promise
In most services "privacy" is a paragraph in the policy document, written by lawyers for other lawyers. In DAPITA it is a set of switches the user controls themselves.
Want to make yourself unfindable by email — you can. Want to hide your location from other services in the ecosystem — you can. Want logins to be possible only from your devices and only from your country — you can. Want to see an audit of every action on your account for the last 90 days — you can (on the Dapitium plan).
This is what "privacy by design" actually means. Not "we protect you, trust us", but "here are the controls — configure them yourself". The difference is fundamental: in the first case the user is the object of protection; in the second, the user is the subject who decides how and from what to be protected.
Why this matters beyond DAPITA
One could reasonably ask: why all of this, if we are talking about a single project? The answer is that DAPITA Security is an attempt to show that it can be done differently. That a mass-market product does not have to be built on the trade-off "convenience versus privacy". That you can give a person a fast passkey login and at the same time not know their email in plain text. That you can have hundreds of services in the ecosystem and still have one place where the user sees and controls everything.
Security is not a feature you bolt on at the end. It is a decision you make at the start, and it determines everything else: which database, which infrastructure, which algorithms, which interfaces. DAPITA is built so this decision is right from day one — and so the user does not just take our word for it, but can open their dashboard and see with their own eyes how their data is protected and to whom it is accessible.
In a world where breaches have become the norm and indifference to privacy is the industry standard, this kind of position still passes for a luxury. In reality, it is just engineering, done honestly.