Security
Security at Daphne Labs
Our strongest security control isn't a product — it's an architecture. When your data never leaves your device, there's very little for an attacker to reach.
Our posture
- Local-first by design
- Because we don't collect or store your data in the cloud, there is no central honeypot to breach, sell or leak. The attack surface is small on purpose.
- Encrypted local storage
- Where products hold sensitive data on your device, it is kept in encrypted local storage that never phones home.
- No telemetry you didn't ask for
- We don't run background tracking or silent analytics on your usage. What stays on your machine, stays on your machine.
- Careful engineering
- We validate inputs at boundaries, keep third-party dependencies minimal, and serve this site over HTTPS with modern security headers, DNSSEC and email authentication (SPF, DKIM, DMARC).
Reporting a vulnerability
If you believe you've found a security issue, please email security@daphnelabs.com. Our machine-readable policy lives at /.well-known/security.txt (RFC 9116). Please give us reasonable time to investigate and remediate before any public disclosure. We don't run a paid bug-bounty program yet, but we gratefully credit responsible reporters.
A note on scope
Our products are designed to protect your data on your device; keeping your own operating system, disk encryption and backups healthy is the other half of the picture. If you have questions about how a specific product handles your data, get in touch — we're glad to explain.
Last updated: July 2026