← All docs · source: SECURITY-WHITEPAPER.md

LazyToken — Security Whitepaper

Audience: CISOs, security architects, DPO/privacy, and procurement. Purpose: a single, customer-facing document that explains how LazyToken is built so a security team can approve it — the trust model, what we never collect, the enforced payload allowlist, the Context Firewall (DLP), air-gapped operation, supply-chain posture, and ready answers to a security questionnaire.

Companion documents (attach to a DPA): DATA-FLOW.md, NOT-COLLECTED.md, DPA-TEMPLATE.md, SECURITY.md, and the wire protocol CONTRACT.md.

We do not claim LazyToken is "unbreakable" or "100% secure." We claim it is built on specific, auditable principles — described below — and that the parts that reduce your risk are enforced in code, not just in policy.


1. The one-sentence narrative #

LazyToken is likely the only software in your stack that is architected so that even if we wanted to, we could not reach your data. The risk already exists: your coding agents send terminal output to a model provider. LazyToken is the filter that reduces and blocks what leaves — not a new pipe out.


2. Trust model — the five pillars #

2.1 Code transparency #

The filtering engine that runs on developer workstations is a fork of an Apache-2.0 open-source project — auditable line by line. The proprietary layer (reporting, policy, server, dashboard) is available to Enterprise customers for source review under NDA, or via source escrow.

2.2 "We don't have the data" architecture #

The server is self-hosted in your environment. The vendor has no tenant, no copy, and no access. The agent transmits to your server only, and only numbers and a tool name — never code, arguments, paths, output, environment variables, or secrets. This is enforced in code (§4) and, in air-gapped mode, the server makes zero outbound calls.

2.3 Minimal privilege #

The agent runs as an ordinary user — no root/admin for normal operation. It does not listen on any port; it only initiates outbound connections to the single configured server. Policy is applied only if cryptographically signed, so a compromised server cannot push a malicious configuration. Credentials live in the OS keychain, not in files.

2.4 Supply chain #

Release binaries are designed to ship signed (EV code signing on Windows, Apple notarization on macOS, GPG on Linux), each with a CycloneDX SBOM and published checksums. CI builds are isolated with provenance where possible. Agent updates are distributed only from your internal server (Ed25519-signed) — never pulled from the open internet. Upstream syncs pass code review + SAST before adoption, not a blind merge.

Honest status: installer code-signing/notarization is a release step that must be enabled before a regulated rollout (the packaging scripts exist; the signing keys/pipeline are an operational task). See the Admin Guide's prerequisites.

2.5 Process #

A published vulnerability-disclosure policy (security.txt + a dedicated address + a 48-hour response SLA), an annual external penetration test (report under NDA), SAST on every CI run (Semgrep) plus dependency scanning, and SOC 2 Type I on the roadmap ahead of serious US-market entry.


3. What we never collect #

Every item below is excluded by design and enforced in code. The agent never transmits:

The complete, itemized list is in NOT-COLLECTED.md.

**The entire dataset that is collected:** numeric token counters, a tool name (first word), a coarse category, which AI agent was used, a timestamp, filter timing, and an optional salted project hash. That's it.


4. The payload allowlist (enforced, not promised) #

The privacy rule is enforced on both sides of the wire, and the enforcement blocks merges:

The approved keys per metric record are exactly: ts, tool, category, ai_agent, tokens_raw, tokens_filtered, duration_ms, project_hash. For security events: ts, type, tool. Additional guarantees: tool must match ^[A-Za-z0-9._-]+$ and is capped at 32 chars — no spaces means no argument can ride along. Full schema: CONTRACT.md §2.


5. Context Firewall (DLP) — reducing what reaches the model #

Because the agent sits between the terminal and the model, it is positioned to do more than compress — it can control what leaves the organization:

This is the security-budget conversation: token savings justify the price; the Context Firewall makes the purchase a control, not just a cost saver.


6. Air-gapped operation #

LazyToken supports a fully air-gapped deployment (deploy/AIR-GAPPED.md):


7. Anonymization — the employee-monitoring concern #

Measuring "how much each developer saved" can be perceived as workforce surveillance (especially sensitive in the EU / with works councils). LazyToken ships a built-in anonymized mode: the dashboard shows teams and "Dev #N" rather than individuals. The choice is the customer's, set at policy level and recorded in the audit log. Positioning: managerial visibility without personal surveillance.


8. Security questionnaire — ready answers #

Copy-paste answers for procurement/security questionnaires:

QuestionAnswer
Where is our data stored?With you only. Self-hosted server; we have no tenant and no access.
What does the agent collect?Numeric counters + a tool name (first word only). Full schema in the data-flow appendix.
Is source code / command output sent to a third party?No. Blocked at the schema level + an automated test. The Context Firewall further reduces what reaches the model provider.
Encryption in transit / at rest?TLS 1.3 in transit; at rest is under your control (the DB is yours).
Authentication & authorization?SSO (OIDC/SAML), RBAC, MFA via your IdP.
Audit logging?Every admin action and policy change; append-only.
Agent privileges on the workstation?Ordinary user, no root, no network listener.
Software updates?Signed, distributed from your internal server only; you control the pace.
SBOM / third-party components?CycloneDX SBOM attached to each release.
Penetration testing?Annual, external; report under NDA.
Vulnerability reporting?security.txt; response within 48 hours.
Business continuity if the vendor closes?Source escrow for Enterprise; the system keeps running independently in your environment.
GDPR / employee privacy?No PII by default; built-in anonymized mode; DPA available.
Internet dependency?None. Air-gapped fully supported.

9. What we will not overstate (sales discipline) #


10. Appendices #