Security
How we protect your diagrams and code
Security Principles
- ✅Local-first architecture (your data stays on your device)
- ✅Zero-knowledge cloud sync (we can't read your diagrams)
- ✅Secure OAuth implementation (no password storage)
- ✅HTTPS everywhere (TLS 1.3)
- ✅Regular security audits
- ✅Responsible disclosure program
Local-First Architecture
Your diagrams are stored locally in your browser using IndexedDB. This means:
- ✅Your data never leaves your device (unless you enable cloud sync)
- ✅We have zero access to your diagrams
- ✅No server-side storage of sensitive data
- ✅Works offline
Storage Location: indexedDB://arkt.ink/diagrams
Your browser's IndexedDB is protected by same-origin policy. Only ArkT can access this data.
Cloud Sync (Optional, Future Feature)
When you enable cloud sync, your diagrams will be:
- Encrypted end-to-end: AES-256 encryption, your key never leaves your device
- Zero-knowledge: We cannot read your diagrams
- Encrypted at rest: Stored on AWS S3 with server-side encryption
- Encrypted in transit: All API calls use HTTPS (TLS 1.3)
GitHub OAuth Security
When you connect GitHub, we follow OAuth 2.0 best practices:
- Token storage: OAuth tokens in your browser localStorage only
- Minimal scopes: Only
reposcope (read access) - No write access: We cannot modify your code
- Revocable anytime: In your GitHub settings
What We Can and Cannot See
✅ We CAN see:
- Anonymous usage analytics (if you consent)
- Error logs (without personal data)
- Your email (if you create an account)
❌ We CANNOT see:
- Your diagram content or structure
- Your GitHub code or files
- Your OAuth tokens
- Your encryption keys
Responsible Disclosure
Found a security vulnerability? We appreciate your help keeping ArkT secure.
Report to:
Our Promise:
- We won't pursue legal action for good-faith research
- We'll credit you in our security hall of fame
- Critical issues fixed within 7 days
Questions About Security?
We're happy to discuss our security practices.