Trust Security packet

Security packet

A concise security overview for evaluators, written to be handed to a security review as-is. Every claim links to the code or document that backs it.

The short version

Relay is a locally-installed app, not a SaaS. It hosts no customer data because there is no endpoint to receive it. AI processing runs under your own provider accounts. For product usage there is no data processing agreement to sign, because we process nothing.

What Relay is, structurally

Orionfold Relay is a locally-installed application, not a SaaS. It installs from npm, runs a server bound to 127.0.0.1 on the operator machine, and stores all state in a local SQLite database. The engine is open source (Apache-2.0). The commercial product is premium content packs, unlocked by a signed license file verified offline.

There is no Orionfold cloud, no Orionfold account, and no server-side component operated by us in the product runtime path.

We host no customer data

This is the load-bearing claim, so here is its basis.

  • All application state is local. Projects, tasks, documents, workflow runs, usage and cost ledgers, chat history, settings, and licenses live in a SQLite file in the operator data directory. Nothing is synced, mirrored, or backed up to us. There is no endpoint to receive it.
  • No telemetry or analytics exists in the codebase. The in-app telemetry and analytics surfaces read the local database only.
  • AI processing happens under your provider accounts. When agents run, prompts and in-scope document content go directly from your machine to the model provider you configured. Orionfold is not in that path and cannot see it.
  • What we do hold: purchase records only, the billing details you give Stripe at checkout and the email a license was issued to. That data exists on the storefront side, never in the product.

Consequence for your compliance review: for product usage there is no data processing agreement to sign with us, because we process nothing. Your existing terms with your chosen model providers govern the AI data flow.

Subprocessors

In the conventional SaaS sense, none. There is no service of ours processing your data. The third parties in the picture are all under your control or your contract.

PartyRoleDataChosen by
Anthropic / OpenAIModel APIs your agents callPrompts, in-scope document content, tool resultsYou (per task, step, schedule)
Ollama (local)Optional local model runtimeNever leaves your machineYou
GitHubHosts the repo and releasesServes downloads; receives nothing about you but a GETUs (distribution)
npm registryPackage distributionStandard npm install trafficUs (distribution)
StripePayment processing at purchaseBilling details, at checkout onlyUs (storefront)

Application security posture

  • Deployment surface: binds to 127.0.0.1 by default. Exposing it on a LAN requires an explicit hostname flag, which prints a warning. Relay is a single-operator cockpit; treat network exposure as you would any internal tool.
  • Agent governance is built in, not bolted on: per-profile tool permissions (an agent without web tools cannot reach arbitrary URLs), human-approval checkpoints for client-facing output, and a full audit trail of agent actions.
  • Plugin containment: third-party plugins can ship tool servers, which are subprocesses, so treat plugin installation as running code. Safe mode disables plugin tool servers, and plugin content is schema-validated on load.
  • Failure visibility as an engineering rule: the standing principles are zero silent failures and named error types. The license verifier, artifact downloads, and install paths all fail loudly with typed errors.

Supply-chain integrity (summary)

Full detail is on the supply-chain page.

  • npm publishes happen only through OIDC trusted publishing from a committed workflow. No npm tokens exist to leak. Every release carries a SLSA v1 provenance attestation you verify with npm audit signatures.
  • A CycloneDX SBOM of the production dependency tree is attached to every GitHub Release.
  • The server build downloads once per version from GitHub Releases and is sha256-verified before extraction. A mismatch aborts.
  • Versions are pinnable and never self-update.

Licensing privacy

License verification is an offline Ed25519 signature check against public keys embedded in the open-source verifier. No activation, no re-validation, no data ever sent to Orionfold. It works air-gapped. Expiry never disables installed content.

Vulnerability disclosure

Report vulnerabilities privately via GitHub security advisory form on the Relay repository. Please do not open public issues for security reports. You will get an acknowledgment within 72 hours. Confirmed issues ship as ordinary versioned releases with changelog disclosure.

Business continuity

The continuity argument is architectural: an Apache-2.0 engine, local data, and offline licenses mean our disappearance cannot take your deployment down. Read the specifics, including the honest edge cases, on the continuity page.