security & privacy
The risk already exists in your stack: your coding agents send terminal output to a model provider. LazyToken is the filter that reduces and blocks what leaves — not a new pipe out. This page is the narrative we give CISOs, and every claim on it is grounded in the shipped Security Whitepaper.
We don't claim "unbreakable" or "100% secure." We claim specific, auditable principles — enforced in code, not just in policy.
pillar 1
The filtering engine that runs on developer workstations is a fork of an Apache 2.0 open-source project — auditable line by line by your security team. The proprietary layer (reporting, policy, server, dashboard) is available to Enterprise customers for source review under NDA, or via source escrow.
pillar 2
The server is self-hosted in your environment. The vendor has no tenant, no copy, and no access. The agent transmits to your server only, and only numbers and a tool name — never code, arguments, paths, output, environment variables, or secrets. In air-gapped mode the server makes zero outbound calls.
pillar 3
The agent runs as an ordinary user — no root/admin for normal operation. It listens on no ports; it only initiates outbound connections to the single configured server. Policy is applied only if cryptographically signed (Ed25519, key pinned at enrollment), so a compromised server cannot push a malicious configuration. Credentials live in the OS keychain, not in files.
pillar 4
Releases are designed to ship signed (EV code signing on Windows, Apple notarization on macOS, GPG on Linux), each with a CycloneDX SBOM and published checksums. Agent updates are distributed only from your internal server, Ed25519-signed — never pulled from the open internet. Upstream engine syncs pass code review + SAST before adoption.
Honest status: installer signing/notarization is a release step not yet turned on — the packaging scripts exist; the signing pipeline is an operational task before a regulated rollout.
pillar 5
A published vulnerability-disclosure policy (security.txt, dedicated address, 48-hour response SLA) · annual external penetration test (report under NDA) · SAST on every CI run plus dependency scanning · SOC 2 Type I on the roadmap ahead of serious US-market entry. We do not claim certifications we don't yet hold.
Every row is excluded by design and enforced in code: an allowlist test on the agent blocks merges, and the server rejects any unknown field with 400 INVALID_PAYLOAD — never silently strips it.
| Never transmitted | How it's prevented |
|---|---|
| Source code — files, snippets, diffs | No field in the schema can carry it |
| Command arguments | Only the first word is sent (git, npm); max 32 chars, no spaces allowed — an argument physically can't fit |
| File paths / filenames / directories | Not in the schema; optional project_hash is a salted SHA-256 with a device-local salt that never leaves the machine, off unless policy enables it |
| Command / terminal output | Never captured for transmission — filtering happens locally |
| Environment variables | None, ever |
| Secrets / credentials / tokens | Firewall redacts locally; only the rule type (e.g. aws-key) is reported, never the value |
| Prompts or model responses | LazyToken is not in the prompt path for reporting |
| Keystrokes, screen contents, clipboard | Never captured |
| Git remotes, commit messages, branch names | Not in the schema |
| Geolocation / device fingerprinting | Only a SHA-256-hashed hostname identifies a device |
Because the agent sits between the terminal and the model, it can do more than compress — it controls what leaves the organization.
Every command output is scanned before it enters the model's context for API keys, tokens, passwords, connection strings, private keys, and high-entropy strings (pattern + entropy detection in the style of well-known secret scanners). Matches become [REDACTED:<type>]. The original value is never written to disk and never transmitted anywhere.
Org policy can block sensitive command output entirely (e.g. cat on **/.env*) — the model receives a short block notice instead. The dashboard shows how many secrets were blocked, by team, over time — storing only {type, tool, timestamp, device}. Optional PII masking covers emails, IDs, and card numbers.
Measuring per-developer savings can be perceived as workforce surveillance (especially in the EU). LazyToken ships a built-in anonymized mode: the dashboard shows teams and "Dev #N" rather than individuals. The choice is the customer's, set at policy level and recorded in the audit log. Managerial visibility without personal surveillance.
Copy-paste answers for procurement and security questionnaires.
| Question | Answer |
|---|---|
| Where is our data stored? | With you only. Self-hosted server; we have no tenant and no access. |
| What does the agent collect? | Numeric counters + a tool name (first word only). Full schema in the data-flow appendix. |
| Is source code / command output sent to a third party? | No. Blocked at the schema level + an automated test. The Context Firewall further reduces what reaches the model provider. |
| Encryption in transit / at rest? | TLS 1.3 in transit; at rest is under your control (the DB is yours). |
| Authentication & authorization? | SSO (OIDC/SAML), RBAC, MFA via your IdP. |
| Audit logging? | Every admin action and policy change; append-only. |
| Agent privileges on the workstation? | Ordinary user, no root, no network listener. |
| Software updates? | Signed, distributed from your internal server only; you control the pace. |
| SBOM / third-party components? | CycloneDX SBOM attached to each release. |
| Penetration testing? | Annual, external; report under NDA. |
| Vulnerability reporting? | security.txt; response within 48 hours. |
| Business continuity if the vendor closes? | Source escrow for Enterprise; the system keeps running independently in your environment. |
| GDPR / employee privacy? | No PII by default; built-in anonymized mode; DPA available. |
| Internet dependency? | None. Air-gapped fully supported. |
The full whitepaper covers the trust model, the enforced payload allowlist with the exact schema, the Context Firewall, air-gapped operation, and the supply-chain posture.