security & privacy

Built so that even if we wanted to, we couldn't reach your data.

The risk already exists in your stack: your coding agents send terminal output to a model provider. LazyToken is the filter that reduces and blocks what leaves — not a new pipe out. This page is the narrative we give CISOs, and every claim on it is grounded in the shipped Security Whitepaper.

We don't claim "unbreakable" or "100% secure." We claim specific, auditable principles — enforced in code, not just in policy.

trust model

The five trust pillars

pillar 1

Code transparency

The filtering engine that runs on developer workstations is a fork of an Apache 2.0 open-source project — auditable line by line by your security team. The proprietary layer (reporting, policy, server, dashboard) is available to Enterprise customers for source review under NDA, or via source escrow.

pillar 2

"We don't have the data" architecture

The server is self-hosted in your environment. The vendor has no tenant, no copy, and no access. The agent transmits to your server only, and only numbers and a tool name — never code, arguments, paths, output, environment variables, or secrets. In air-gapped mode the server makes zero outbound calls.

pillar 3

Minimal privilege

The agent runs as an ordinary user — no root/admin for normal operation. It listens on no ports; it only initiates outbound connections to the single configured server. Policy is applied only if cryptographically signed (Ed25519, key pinned at enrollment), so a compromised server cannot push a malicious configuration. Credentials live in the OS keychain, not in files.

pillar 4

Supply chain

Releases are designed to ship signed (EV code signing on Windows, Apple notarization on macOS, GPG on Linux), each with a CycloneDX SBOM and published checksums. Agent updates are distributed only from your internal server, Ed25519-signed — never pulled from the open internet. Upstream engine syncs pass code review + SAST before adoption.

Honest status: installer signing/notarization is a release step not yet turned on — the packaging scripts exist; the signing pipeline is an operational task before a regulated rollout.

pillar 5

Process

A published vulnerability-disclosure policy (security.txt, dedicated address, 48-hour response SLA) · annual external penetration test (report under NDA) · SAST on every CI run plus dependency scanning · SOC 2 Type I on the roadmap ahead of serious US-market entry. We do not claim certifications we don't yet hold.

data minimization

What we never collect

Every row is excluded by design and enforced in code: an allowlist test on the agent blocks merges, and the server rejects any unknown field with 400 INVALID_PAYLOAD — never silently strips it.

Never transmittedHow it's prevented
Source code — files, snippets, diffsNo field in the schema can carry it
Command argumentsOnly the first word is sent (git, npm); max 32 chars, no spaces allowed — an argument physically can't fit
File paths / filenames / directoriesNot in the schema; optional project_hash is a salted SHA-256 with a device-local salt that never leaves the machine, off unless policy enables it
Command / terminal outputNever captured for transmission — filtering happens locally
Environment variablesNone, ever
Secrets / credentials / tokensFirewall redacts locally; only the rule type (e.g. aws-key) is reported, never the value
Prompts or model responsesLazyToken is not in the prompt path for reporting
Keystrokes, screen contents, clipboardNever captured
Git remotes, commit messages, branch namesNot in the schema
Geolocation / device fingerprintingOnly a SHA-256-hashed hostname identifies a device
What that leaves — the entire dataset: numeric token counters, a tool name (first word), a coarse category, which AI agent was used, a timestamp, filter timing, and an optional salted project hash. Full wire schema in the whitepaper.
context firewall

Reducing what reaches the model

Because the agent sits between the terminal and the model, it can do more than compress — it controls what leaves the organization.

Secret redaction, locally

Every command output is scanned before it enters the model's context for API keys, tokens, passwords, connection strings, private keys, and high-entropy strings (pattern + entropy detection in the style of well-known secret scanners). Matches become [REDACTED:<type>]. The original value is never written to disk and never transmitted anywhere.

Guardrails & evidence

Org policy can block sensitive command output entirely (e.g. cat on **/.env*) — the model receives a short block notice instead. The dashboard shows how many secrets were blocked, by team, over time — storing only {type, tool, timestamp, device}. Optional PII masking covers emails, IDs, and card numbers.

deployment

Air-gapped operation & anonymization

Fully air-gapped supported

  • Images carried in as a tar; the license is a signed file — no license server to phone home
  • A Kubernetes NetworkPolicy technically restricts server pods to DNS + in-cluster PostgreSQL — verify zero egress yourself with an in-pod test
  • Only optional egress: your IdP (SSO), your SMTP, your Slack — all off by default
  • TLS 1.3 in transit; at rest the database is under your control

Anonymized mode — the works-council answer

Measuring per-developer savings can be perceived as workforce surveillance (especially in the EU). LazyToken ships a built-in anonymized mode: the dashboard shows teams and "Dev #N" rather than individuals. The choice is the customer's, set at policy level and recorded in the audit log. Managerial visibility without personal surveillance.

procurement

Security questionnaire — ready answers

Copy-paste answers for procurement and security questionnaires.

QuestionAnswer
Where is our data stored?With you only. Self-hosted server; we have no tenant and no access.
What does the agent collect?Numeric counters + a tool name (first word only). Full schema in the data-flow appendix.
Is source code / command output sent to a third party?No. Blocked at the schema level + an automated test. The Context Firewall further reduces what reaches the model provider.
Encryption in transit / at rest?TLS 1.3 in transit; at rest is under your control (the DB is yours).
Authentication & authorization?SSO (OIDC/SAML), RBAC, MFA via your IdP.
Audit logging?Every admin action and policy change; append-only.
Agent privileges on the workstation?Ordinary user, no root, no network listener.
Software updates?Signed, distributed from your internal server only; you control the pace.
SBOM / third-party components?CycloneDX SBOM attached to each release.
Penetration testing?Annual, external; report under NDA.
Vulnerability reporting?security.txt; response within 48 hours.
Business continuity if the vendor closes?Source escrow for Enterprise; the system keeps running independently in your environment.
GDPR / employee privacy?No PII by default; built-in anonymized mode; DPA available.
Internet dependency?None. Air-gapped fully supported.

Give this to your security team

The full whitepaper covers the trust model, the enforced payload allowlist with the exact schema, the Context Firewall, air-gapped operation, and the supply-chain posture.