Daphne Labs

Security

Security at Daphne Labs

Our strongest security control isn't a product — it's an architecture. When your data never leaves your device, there's very little for an attacker to reach.

Our posture

Local-first by design
Because we don't collect or store your data in the cloud, there is no central honeypot to breach, sell or leak. The attack surface is small on purpose.
Encrypted local storage
Where products hold sensitive data on your device, it is kept in encrypted local storage that never phones home.
No telemetry you didn't ask for
We don't run background tracking or silent analytics on your usage. What stays on your machine, stays on your machine.
Careful engineering
We validate inputs at boundaries, keep third-party dependencies minimal, and serve this site over HTTPS with modern security headers, DNSSEC and email authentication (SPF, DKIM, DMARC).

Reporting a vulnerability

If you believe you've found a security issue, please email security@daphnelabs.com. Our machine-readable policy lives at /.well-known/security.txt (RFC 9116). Please give us reasonable time to investigate and remediate before any public disclosure. We don't run a paid bug-bounty program yet, but we gratefully credit responsible reporters.

/.well-known/security.txt ↗

A note on scope

Our products are designed to protect your data on your device; keeping your own operating system, disk encryption and backups healthy is the other half of the picture. If you have questions about how a specific product handles your data, get in touch — we're glad to explain.

Last updated: July 2026