Security
Report a vulnerability.
We take security seriously and welcome good-faith reports. Trust is the product — if you find a weakness, please tell us.
How to report
Email security@roselyn.ai with a description of the issue, steps to reproduce, and anything we need to confirm it. A machine-readable contact is published at/.well-known/security.txt.
We aim to acknowledge reports within a few business days (Roz is built by a small team, so please bear with us). Please give us a reasonable window to fix an issue before disclosing it publicly.
Safe-harbor
We won't pursue legal action for good-faith security research that avoids privacy violations, data destruction, and service disruption, and that gives us a chance to respond before public disclosure. Please don't access or modify other people's data, and stop at the first confirmation of a vulnerability.
Our security posture
Signed, notarized, and verifiable
Every build is Developer-ID signed and notarized by Apple, so macOS Gatekeeper trusts it. Each release publishes a SHA-256 checksum to verify before you run it. Updates are additionally EdDSA-signed and verified offline by the app.
Local-first — the data path is short
Roz reads your sources and stores what it learns in a local, encrypted vault on your Mac. We don't receive a copy. Bring your own key and prompts go straight from your machine to your provider, never through us.
Minimal server surface
Our servers hold only account and billing records. Card data goes directly to Stripe; authentication is handled by WorkOS. Traffic is TLS-only, behind Cloudflare, with a strict security-header baseline.
No secrets in the app
OAuth uses PKCE public-client flows, so no client secret ships in the binary. Analytics is opt-in and content-free. A billing problem never locks you out of your own local data.