Security & Privacy, in plain language.

01What stays local

SuperBased is a desktop-first product. The default for almost everything is "stays on your device until you explicitly do something that crosses the network."

• Screenshots are stored locally in ~/.superbased/captures/ (or your custom screenshot folder). They never leave your machine unless you explicitly invoke an AI tool, drag/drop, copy, or share.
• SQLite database (gallery metadata, OCR text, AI responses, recording sessions, dictation history, personal dictionary) lives at ~/.superbased/superbased.db. Pure-Go WAL mode, never replicated.
• OCR runs locally via Tesseract.js. Your screenshots are processed in-process; no OCR provider gets the image.
• Token Compression Engine renders text-to-image entirely locally via sharp + SVG overlays. No BrowserWindow round-trip; no upstream call.
• Auto-redaction patterns are applied locally before any image leaves the machine.
• API keys for AI providers are managed by your admin (see §5) and resolved server-side; the desktop never holds them in plaintext.

02What crosses the network

Three categories of network traffic, all on opt-in or explicit-action paths:

That's it. No background screenshot upload. No telemetry on individual captures. No "phone home" pulses while you work. The desktop's per-feature defaults all bias toward local processing — even the dictation pipeline does filler removal, deduplication, and short-phrase normalization locally before any AI cleanup roundtrip.

03How auto-redaction works

When you enable auto-redaction (Settings → Privacy), the redaction pipeline runs locally, before any image is copied, sent, or shared. It detects and pixelates regions matching the following categories:

• Secrets: API keys (OpenAI, Anthropic, AWS, Stripe, GitHub, GitLab patterns), bearer tokens, JWT, SSH private keys, connection strings, environment variable values that match secret-like keys.
• PII: email addresses, phone numbers, social security numbers, credit card numbers, dates of birth in common formats.

Detection runs over the OCR text layer (which itself is computed locally via Tesseract). Matches get pixelated as image overlays; the original screenshot file on disk is unchanged unless you explicitly save the redacted version. Compressed images via the Token Compression Engine go through the same redaction pipeline — same patterns, same locality.

04What the desktop sends home

The desktop and headless binaries send four kinds of network traffic to api.superbased.app:

• License validation on startup and every 4 hours: machine ID hash, app version, platform, sign-in token. No screen contents.
• Version check: a single GET to /api/v1/version returning {latest, minimum}. Used to gate forced upgrades when a critical issue is fixed.
• Anonymous usage events: counters for which features were used (e.g. "scroll_capture invoked", "dictation session completed"). No content, no screenshots, no transcripts. Disable in Settings → Privacy if desired.
• Error reports: when the app crashes, a stack trace + app version + platform are sent. Crash dumps are scrubbed of file paths that include user names. Optional via Settings → Privacy.

The website (superbased.app) uses no analytics by default. Plausible is being evaluated for consent-gated, cookie-less analytics; until it ships, the website does not track visitors.

05Auth + payments

Authentication is handled server-side via the Clerk Backend API. The Go backend authenticates email/password and OAuth (Google, GitHub) flows on the server side and issues custom HMAC-SHA256 JWTs containing your Clerk user ID, email, and name. The desktop receives the JWT via a deep link (superbased://auth-callback?token=...) and stores it encrypted via OS-level secure storage (DPAPI on Windows, Keychain on macOS).

• Clerk's Frontend SDK is NOT used — the FAPI domain has known issues with Cloudflare-to-Cloudflare CNAME conflicts. Backend API only.
• Payments are processed by Paddle. We never see or store your card details — Paddle is a Merchant of Record handling all card data, tax compliance, and refunds.
• Sign-out clears the local token and notifies all open windows. The token is also revocable server-side.

06GUI automation safety rails

The GUI automation surface (the "Agent Hands" capability — see /agents) is the most privileged thing SuperBased exposes. The defaults err toward refusal at every layer:

• Master toggle off by default. guiAutomation.enabled defaults to false. The user explicitly opts in. All write tools refuse with a structured error until the toggle flips.
• Per-action group toggles. actions.safe (read-like operations), actions.write (click / type / hotkey / scroll / drag / hover), actions.destructive (drag_file, launch_app, window_state action='close'). Each independently toggleable.
• Confirm flag required. Every write call requires confirm: true unless the user has explicitly disabled the prompt via guiAutomation.requireConfirmFlag = false.
• Protected-process geofence. SuperBased self-targeting is refused with SELF_TARGET_REFUSED — agents cannot drive the SuperBased UI itself.
• Protected-apps blocklist. Configurable list of app processes that block all automation regardless of toggles. Defaults include common password managers and banking sites; add your own.
• Launch allowlist. superbased_launch_app requires an entry in guiAutomation.launchAllowlist — empty by default (deny-all). Allowlist entries can be substring matches or sha256:<hex> binary-hash pins for sensitive binaries.
• Kill switch. Ctrl+Shift+Esc (configurable) immediately aborts in-flight automation. Agents cannot suppress it. Registered as a global hotkey via uiohook-napi while guiAutomation.enabled is true.
• Session-state guards. LogonUI + UAC consent.exe probes refuse automation while elevation prompts are on screen.

07Audit log + replay

Every GUI automation action — accepted or refused — is appended to ~/.superbased/audit.log as one NDJSON line. Each entry contains:

• sessionId — links a chain of related actions (e.g., a single superbased_sequence call writes N entries with the same sessionId).
• tool — the MCP tool name (superbased_click, superbased_type, etc.).
• args — sanitized version of the tool call arguments. Strings longer than 200 chars are truncated. Password-shaped values are hashed.
• result — {ok, errorCode?, durationMs}.
• humanize.params — the sampled humanization values for the call (so you can verify trajectories were curved and timing was distributed as advertised).
• timing — startMs, endMs, perStepMs.

You own this log. Inspect it any time with cat ~/.superbased/audit.log | jq. Delete it any time. superbased_replay reads it back to reproduce a specific session — useful for debugging an agent that went off the rails, or for stepping through a flow that worked in production for inspection.

08Enterprise data flow

Enterprise tier customers get additional surfaces with explicit data ownership:

• SAML SSO + SCIM 2.0. Authentication flows through your IdP (Okta / Azure AD / Google Workspace / OneLogin / etc). User lifecycle managed by your SCIM provisioner. SuperBased never holds your user passwords.
• BYOK AI provider keys. Save your own Anthropic / OpenAI / Gemini / Azure OpenAI keys per organization. AI traffic for org members goes through your provider account, not ours. Resolution order: org keys → fall back to global if not configured.
• Shared workspaces (S3-backed). Captures uploaded for team sharing land in superbased-captures-production S3 (AES256, versioned). Access via presigned URLs with 15-minute expiry. FTS5-style PostgreSQL search across team workspaces.
• IP allowlist. CIDR-based access control per organization. PostgreSQL native CIDR matching; applied as middleware after org membership verification.
• Audit logs. All org-level actions (user lifecycle, SAML config, SCIM provisioning, member changes, device activations) recorded to audit_logs table with actor, action, resource, IP, user agent, timestamp.
• Data retention policy. Set retention_days per org; a daily background worker deletes ai_daily_usage, usage_events, and audit_logs older than the threshold for org members.

09Binary signing + verification

Every desktop release is signed and notarized. Verify your install matches a known-good build before running:

• Windows: OV Code Signed by "Gaja AI Private Limited". Right-click installer → Properties → Digital Signatures should show our cert.
• macOS: Notarized by Apple. Gatekeeper-approved on first run; no SmartScreen warning, no "unidentified developer" dialog.
• SHA-256 checksums are published on the download page next to each binary. Verify with shasum -a 256 SuperBased-Setup-x.y.z.exe (Windows: certUtil -hashfile) and compare.
• VirusTotal: every release binary is uploaded to VirusTotal and the clean scan link is published on the download page.

10Responsible disclosure

If you find a security issue — in the desktop app, the headless CLI, the backend API, the MCP server, the GUI automation surface, or any of the plugin distributions — email contact@marmut.app with the subject line "Security disclosure."

We commit to:

• Acknowledge receipt within 24 hours.
• Provide a status update within 72 hours.
• Ship a fix and credit the reporter (if desired) within 30 days for high-severity issues.
• Not pursue legal action against good-faith research that respects the boundaries below.

Out of scope: any test that affects production users (DoS, brute-forcing prod credentials, data exfiltration of other customers' content, social engineering of staff).