Security

法律文件目前仅提供英文版本。完成法务审查后将提供本地化版本。

Last updated: 2026-04-27. This page summarizes how Kompas protects your data on the desktop application, the Kompas Pro cloud service, and the public landing site.

1. Local-first desktop. Your sessions, notes, and graph are stored on your device. Provider credentials and other secrets are encrypted at rest using a key bound to your installation. Outgoing network calls are limited to the LLM, transcription, or sync providers you explicitly configure.

2. Pro cloud. Connections between the desktop application and Kompas Cloud use TLS 1.2 or higher. Hosted graphs are encrypted at rest. Access to production systems is restricted, audited, and protected with multi-factor authentication. Payment information is handled by Stripe; Kompas does not store full card numbers.

3. Public landing site. The site is static, served through Cloudflare Pages with a strict Content Security Policy and HTTPS-only delivery. We set restrictive headers for framing, referrer, permissions, and content types, and we do not run third-party tracking scripts on the marketing pages.

4. Open source and disclosure. The desktop application is open source under the MIT license; cloud-only components remain in private repositories. We follow a coordinated-disclosure approach: please report security issues through the channel listed on the contact page, and avoid public disclosure until we have had a reasonable opportunity to investigate and remediate.

5. Updates. Desktop updates are delivered through the app update channel and are documented in our internal change history. Critical security patches are prioritized and announced when relevant.