Security

Report a vulnerability.

We take security seriously and welcome good-faith reports. Trust is the product — if you find a weakness, please tell us.

How to report

Email security@roselyn.ai with a description of the issue, steps to reproduce, and anything we need to confirm it. A machine-readable contact is published at/.well-known/security.txt.

We aim to acknowledge reports within a few business days (Roz is built by a small team, so please bear with us). Please give us a reasonable window to fix an issue before disclosing it publicly.

Safe-harbor

We won't pursue legal action for good-faith security research that avoids privacy violations, data destruction, and service disruption, and that gives us a chance to respond before public disclosure. Please don't access or modify other people's data, and stop at the first confirmation of a vulnerability.

Our security posture

  • Signed, notarized, and verifiable

    Every build is Developer-ID signed and notarized by Apple, so macOS Gatekeeper trusts it. Each release publishes a SHA-256 checksum to verify before you run it. Updates are additionally EdDSA-signed and verified offline by the app.

  • Local-first — the data path is short

    Roz reads your sources and stores what it learns in a local, encrypted vault on your Mac. We don't receive a copy. Bring your own key and prompts go straight from your machine to your provider, never through us.

  • Minimal server surface

    Our servers hold only account and billing records. Card data goes directly to Stripe; authentication is handled by WorkOS. Traffic is TLS-only, behind Cloudflare, with a strict security-header baseline.

  • No secrets in the app

    OAuth uses PKCE public-client flows, so no client secret ships in the binary. Analytics is opt-in and content-free. A billing problem never locks you out of your own local data.