Security & privacy

Agents stay local.
Code never leaves your machine.

KanBots OSS is local-first by definition: SQLite next to your repo, no telemetry, no servers. KanBots Cloud coordinates the board over HTTPS but agents run on hardware you control. Your audit log is yours.

Agents stay local

The agent CLI and local worktrees run on hardware you control. Cloud coordination stores metadata and permissions — not your repository contents — unless you explicitly opt into broader sharing via privacy settings.

Privacy modes (off / redacted / full)

Projects declare how much context leaves the device for cloud-backed features. Redacted mode strips sensitive paths and payloads; full mode is explicit consent for deeper cloud assistance. OSS defaults to off.

Pre-push containment

Every worktree gets a pre-push hook that exits non-zero. Even with bypassPermissions, the agent itself never publishes anything to remote — promotion is always an explicit user step.

Audit log (Business+)

Org-scoped audit events capture security-relevant actions with retention tied to your plan. Exports and API access are gated so compliance teams can answer who did what, when. OSS keeps a single-actor history locally.

Data isolation (Postgres RLS)

Cloud's multi-tenant data lives in Postgres with row-level security aligned to org membership. Requests carry tenant context so cross-org reads fail closed at the database layer.

No telemetry on OSS

The OSS desktop never makes outbound network calls beyond what your agent CLI does. No analytics, no error reporting, no version checks. The .kanbots/ directory is the only thing it touches.

Compliance roadmap

Where we are, where we're headed

  • SOC 2 Type II — targeted completion Q2 2027. Type I and controls work precede the independent audit.
  • GDPR — we honor access, rectification, erasure, and portability requests for personal data we process as a processor for your organization. Subprocessors and DPA terms are provided during enterprise onboarding.
  • BAA available on Enterprise contracts.

Email security@kanbots.dev for security questions or vulnerability disclosure.