Security

Los documentos legales por ahora solo están disponibles en inglés. Las versiones traducidas se publicarán después de la revisión legal.

Last updated: 2026-04-27. This page summarizes how Kompas protects your data on the desktop application, the Kompas Pro cloud service, and the public landing site.

1. Local-first desktop. Your sessions, notes, and graph are stored on your device. Provider credentials and other secrets are encrypted at rest using a key bound to your installation. Outgoing network calls are limited to the LLM, transcription, or sync providers you explicitly configure.

2. Pro cloud. Connections between the desktop application and Kompas Cloud use TLS 1.2 or higher. Hosted graphs are encrypted at rest. Access to production systems is restricted, audited, and protected with multi-factor authentication. Payment information is handled by Stripe; Kompas does not store full card numbers.

3. Public landing site. The site is static, served through Cloudflare Pages with a strict Content Security Policy and HTTPS-only delivery. We set restrictive headers for framing, referrer, permissions, and content types, and we do not run third-party tracking scripts on the marketing pages.

4. Open source and disclosure. The desktop application is open source under the MIT license; cloud-only components remain in private repositories. We follow a coordinated-disclosure approach: please report security issues through the channel listed on the contact page, and avoid public disclosure until we have had a reasonable opportunity to investigate and remediate.

5. Updates. Desktop updates are delivered through the app update channel and are documented in our internal change history. Critical security patches are prioritized and announced when relevant.