Legal · Security

Security, in
plain language.

Brainmox was built local-first because the safest place for your data is your own machine. Here's how we back that up.

Effective April 17, 2026 · Last updated April 17, 2026 · CloudAid Inc., C208B - 777 Bay Street, Toronto, Ontario, M5G2C8, Canada

Architecture

01

Local-first architecture

The desktop app runs on your machine. Conversations, files, workspaces, and vault contents live on your device, not in a multi-tenant cloud.

02

Loopback-only UI

The admin and chat UIs bind to 127.0.0.1. Nothing listens on the public internet unless you deliberately expose it.

03

Encrypted vault

Credentials, API keys, and tokens are stored in a vault encrypted with XChaCha20-Poly1305 and a key derived by Argon2id from your passphrase.

04

Secret scrubbing

Before any prompt reaches a language-model provider, a scrubber strips detected secrets and obvious PII from both inputs and outputs.

05

Hardened shell execution

When your agent runs a shell command, a validator blocks dangerous patterns (destructive flags, pipe-to-shell installs, etc.) before the command reaches your OS.

06

Three-layer runaway guards

Call budgets, idempotency guards, and loop detection stop an agent from burning through your machine, your wallet, or a remote API.

07

Full audit trail

Every run, every step, every tool call is logged locally in a queryable journal so you can reconstruct exactly what your agent did and why.

08

Encryption in transit

All network calls from the desktop app use TLS 1.2+. We verify certificates and do not ship pinned bypasses.

/ Operational practices

How we run
our own systems.

01Principle of least privilege for everyone at CloudAid. Production access is logged and time-bounded.
02Code reviews required for every change to production systems.
03Dependencies scanned continuously; security patches prioritized.
04Secrets managed through a dedicated vault service, never committed to source control.
05All CloudAid devices use full-disk encryption, hardware-backed authentication, and managed update policies.
06Incident response plan with defined roles and post-mortems that we share with affected customers.
/ Responsible disclosure

Found a vulnerability?
Tell us first.

If you believe you've found a security issue in Brainmox or the CloudAid infrastructure, email hello@brainmox.com with a description, reproduction steps, and your preferred contact. Please give us a reasonable window to fix the issue before public disclosure. We will credit researchers who want credit, and we respond to every report.

PGP key available on request.
CloudAid Inc. · hello@brainmox.com · +1-647-578-8440