Trust Center
How SafeCadence handles your data — across the open-source software you run yourself and the optional hosted services. The short version:
What the installed software collects
No telemetry, no phone-home
Run NetRisk on your own infrastructure and nothing leaves it:
- No usage stats, analytics, or error reporting
- No check-ins of any kind
- Verifiable: MIT-licensed, all on GitHub, runs air-gapped
Your AI keys stay yours
AI narration is bring-your-own-key. Your provider keys live on your machine and are used only for the calls you trigger — or skip AI entirely and use the deterministic engine. Point it at a local LLM and nothing leaves your network even with AI on.
Grounded AI (no hallucinated findings)
The Security Graph is the source of truth; the AI is the storyteller. The Copilot and briefings cite only evidence that exists in the graph — they will not invent a CVE, technology, or attack path.
The opt-in exceptions — and exactly what they send
Cloud Sync (OFF by default)
NetRisk only sends scan data to a SafeCadence Security Graph if you run
safecadence cloud connect. With no config file, nothing is
sent.
- Authenticated by a per-tenant token issued to your org — uploads bind to your org only
- Sends scan results (assets, findings, CVEs, topology, identities) over HTTPS
cloud disconnectdeletes the config and stops all syncing- Pushes are best-effort and never block or alter a local scan
Shield — external scan
Shield assesses a domain from the outside using public data only — DNS, certificate-transparency logs, email-auth records, exposed endpoints. Non-intrusive: nothing is authenticated against, nothing is attacked, and it is legal to run on any domain you're authorized for.
Hosted Shield+Graph reports
When you request a hosted report, the scan result is stored against your organization so the report, monitoring, and Copilot work. It is shared only via the token-gated link you receive. Email us to export or delete your data at any time.
Data handling
In transit & at rest
All hosted endpoints are HTTPS (TLS). Tokens are stored as one-way hashes, never in plaintext. Local Cloud Sync config is written with owner-only (0600) permissions.
Retention & deletion
You control retention on anything you run locally. For hosted data, request export or deletion at hello@safecadence.com and we will action it.
Responsible disclosure
Found a security issue? Email security@safecadence.com. We respond quickly and credit reporters who want it.
SafeCadence · local-first security intelligence · source on GitHub · ← Back to tools