Security overview.

At a glance.

• TLS 1.3 only on every endpoint, HSTS preload, Cloudflare in front of the API.
• 2FA + hardware key on Stripe, GitHub, and the domain registrar. No solo password access anywhere financial.
• License keys signed with RS256 — public key baked into the installer for offline verification.
• Card data never touches our servers. Stripe-hosted checkout only.
• No Google Analytics, no Facebook Pixel, no third-party trackers.

How we protect your license key.

Your license key is the functional credential. It binds to your account email plus the machines you authorize. We store a one-way hash of the key plus the canonical machine identifiers — never the raw key — and rotate JWT signing keys every 12 months. If you suspect your key was leaked, the License tab inside the app has a one-click revoke that fires a magic link to your billing email for confirmation.

What happens if we detect abuse.

Sustained pattern matching on every endpoint — rate-limited at Cloudflare and again in-app. Five failed activations from one IP triggers a 15-minute lockout. Twenty failed activations against one license key triggers an automatic key freeze and an email to the customer. We err toward locking the door first and asking questions second; an unfreeze takes one human reply.

Reporting a vulnerability.

Email security@localmodeldojo.com. PGP key on request. We acknowledge within 24 hours and aim to ship a fix within 7 days for confirmed issues. Coordinated disclosure preferred — give us a reasonable window before publishing details, and we'll credit you in the changelog if you want.

What we are not doing.

Honest section. We don't do SOC 2 yet — too small for the audit cost to make sense. We don't have a bug bounty program with cash payouts yet — same reason. We don't run penetration tests on a fixed schedule — we do them ad-hoc with our network engineer when surfaces change. As we grow, all three of these get more formal. As of April 2026, we are honest about what we have and don't have.