Security
Built to protect
your life's data.
Security isn't a feature we added — it's a constraint we designed around from day one. Local-first means your data's default state is private.
Local-first by default
Your data lives on your device. The local database never touches our servers unless you explicitly enable cloud sync. Even with sync on, you choose exactly what leaves your machine.
We never train on your data
Your conversations, Rooms, and personal data are never used to train AI models. Not ours. Not anyone's. Data you share for cloud sync is stored only to serve you back.
Encrypted in transit and at rest
When cloud sync is active, all data is encrypted with TLS in transit and AES-256 at rest. Your sync server is hosted on Hetzner in Europe under GDPR jurisdiction.
Room sandbox isolation
Rooms run in a secure sandbox with a strict Content Security Policy. Room code cannot access your filesystem, network, or other Rooms beyond what you explicitly grant.
BYOK — your keys, your calls
Bring your own API key for any cloud AI provider. BYOK calls go directly to the provider — they never pass through Mylo's servers. Full visibility, zero markup.
Prompt injection protection
Mylo's command execution layer uses an allowlist of programs and a blocklist of dangerous arguments. LLM-generated commands are never executed without validation.
Responsible disclosure
Found a vulnerability? We take security reports seriously. Email us at security@mylo.so with details and we'll respond within 48 hours. We don't pursue legal action against good-faith researchers.
security@mylo.so →