truzztbox

Security & Privacy

Understand how truzztbox protects your data and keeps you in control.

Our Promise

Your documents, your AI, your control. truzztbox is built so that your sensitive information never has to leave your environment unless you explicitly choose otherwise.

How We Protect Your Data

🏠

Data Stays Local

Your documents, extracted text, AI embeddings, and chat conversations are processed and stored entirely on your own device. The cloud only sees metadata like filenames and timestamps—never your actual content.

🔑

You Own the Keys

Your device generates its own cryptographic identity when first set up. The private key never leaves your machine. You control all SSH access and admin credentials—we have no backdoors or master keys.

🛡️

No Permanent Access

The truzztbox agent runs as an unprivileged user on your system, not as root. We cannot remotely access your device or elevate privileges. Installation requires one-time admin rights, then runs without them.

🔒

Minimal Cloud Footprint

The cloud stores only what's necessary: your account info, device registration, and document metadata. When you upload a file through the web interface, it's forwarded directly to your device and deleted from our servers immediately after delivery.

Technical Details

What stays on your device

  • PDF documents and extracted text
  • AI embeddings and vector search index
  • Chat prompts and responses
  • Cryptographic private keys
  • Local configuration and caches

What the cloud stores

  • Your account email and authentication
  • Device ID and public key (for secure communication)
  • Document metadata (filename, size, upload time)
  • Device online/offline status

What the cloud never stores

  • Document content or extracted text
  • AI embeddings or search results
  • Your chat conversations
  • Private keys or credentials

Agent Security Hardening

The truzztbox agent running on your device is locked down with industry-standard Linux security practices:

Unprivileged execution

Runs as a dedicated system user, not root

No privilege escalation

Cannot gain additional permissions after startup

Filesystem isolation

Read-only system access, isolated temp directories

Network restrictions

Limited to necessary network protocols only

Memory protection

Prevents code injection and exploitation

Kernel protection

Cannot modify system kernel parameters

Coming Soon

We're continuously improving our security posture. Here's what's on our roadmap:

Planned
Audit Logs

Detailed, tamper-evident logs of all system and agent actions

Planned
Disk Encryption Guidance

Step-by-step instructions for encrypting your device storage

Future
Customer-Managed Encryption

Encrypt local data with your own keys

Future
Confidential VM Support

Hardware-level isolation with AMD SEV or Intel TDX

Questions?

Security is a journey, not a destination. If you have questions about our security practices or want to report a concern, please reach out.

Contact Us
← Back to Home