Talk to us Get early access
Product Pricing About Careers Blog Talk to us
Security & data

Your code never leaves your machine.

aiworklab is local-first by design. The skill graph lives on your device. Cloud sync — when you opt into it — replicates concept-level facts only, never code. This page is a plain-English statement of what we do.

Pillar 01

Local-first by default.

SQLite on your device. Your skill graph, your history, your diff hashes — all of it stays on your machine unless you opt in to cloud sync.

Pillar 02

No code in the cloud.

Even with sync on, we replicate only concept-level facts. Source code, repository content, prompt text, and diffs never leave your boundary.

Pillar 03

BYO model means BYO keys.

LLM credentials live in your OS keychain. We never see them. The agent talks to your provider directly; we are not in the path.

Architecture, in plain English

aiworklab is a desktop application that runs on your machine. It opens a session against the agent harness you've chosen (Claude Code, Codex, T3 Code, or OpenCode) and listens to events the harness emits — plans, tool calls, diffs. Our teaching kernel runs locally and reads those events, tags concepts, decides whether a comprehension check is warranted, and updates your skill graph. None of this requires a network call to our servers.

If you turn on cloud sync (Pro tier and above), a small synchroniser sends concept-level deltas to our servers so your skill graph is consistent across devices. The wire format is concept identifiers and state transitions, with timestamps. It does not include code, diffs, file paths, prompt text, or any content from your repository.

Encryption

  • In transit. Every connection from the desktop app and website uses TLS 1.3.
  • At rest. Cloud-stored data is encrypted with AES-256 at the storage layer, with keys managed by AWS KMS.
  • On device. The local SQLite database is encrypted using SQLCipher when full-disk encryption is not detected on the host.
  • Credentials. Your LLM API keys live in the OS keychain (Keychain on macOS, DPAPI on Windows, libsecret on Linux). They are never written to our database or transmitted.

Authentication & access control

  • Personal accounts use OAuth (Google or GitHub) or email + magic link. We never store passwords.
  • Team and Enterprise tiers support SSO via OIDC (Google Workspace, Microsoft Entra ID, Okta).
  • Enterprise tier supports SCIM for user provisioning.
  • Admin actions require re-authentication. All admin actions are logged.

Org dashboard data

Team and Enterprise customers get an organisation dashboard. The data feeding this dashboard is concept-level and aggregated. A typical record looks like: {org: "acme", concept: "pg-advisory-locks", n_demonstrated: 7, retention_30d: 0.83}. There is no path from this record back to a specific person's source code.

Individual engineers can be excluded from org-level aggregations on request. Engineers always retain control of their personal skill graph and history.

Subprocessors

We use a minimal set of operationally-required service providers. The current list:

  • Amazon Web Services — hosting, storage, compute. US regions.
  • Stripe — payment processing.
  • Postmark — transactional email.
  • Sentry — error tracking. Configured to scrub user content.
  • Plausible Analytics — privacy-respecting marketing analytics on the website (no cookies, no personal data).

We will update this list when it changes and notify Team and Enterprise customers in advance.

Compliance roadmap

  • SOC 2 Type I — targeted Q1 2027.
  • SOC 2 Type II — targeted Q2 2027.
  • GDPR / UK GDPR — covered by our Privacy Policy and Data Processing Addendum (DPA available on request).
  • HIPAA — not covered. Do not use aiworklab to process protected health information.

On-prem & air-gapped deployment

Enterprise customers can deploy the entire stack — including the skill-graph store and dashboard — inside their own infrastructure, with optional air-gapped operation against a local model. There is no required connection to aiworklab's cloud in this configuration. Talk to team@aiworklab.com for deployment guides.

Vulnerability disclosure

If you've found a security issue, please email security@aiworklab.com. PGP key on request. We commit to:

  • Acknowledging your report within 24 hours during business days, 48 hours otherwise.
  • Working with you on a coordinated disclosure timeline.
  • Crediting you publicly when the issue is resolved (unless you prefer to remain anonymous).
  • Not pursuing legal action against good-faith researchers acting within the scope of this policy.

Out of scope: denial of service, social engineering of staff, physical attacks, third-party services we don't operate.

Incident response

We will notify affected customers without undue delay and within 72 hours of confirming a personal-data breach, in line with applicable law. Notifications include what happened, what data was affected, what we're doing about it, and what we recommend you do. Updates continue until the incident is closed.

Security questionnaires

For procurement teams, we maintain a standard security questionnaire response (SIG-Lite, CAIQ-Lite). Email security@aiworklab.com.