Trust centerWe're honest about what we see.
We're honest about what we see.
And what we don't.
A consumer security tool lives or dies on trust. This page documents the data flow, the threat model, and how to report a vulnerability. Updated as the products evolve.
01 / Telemetry
What leaves your device.
The Blue agent is local-first. Detection verdicts happen entirely on your hardware. The cloud is a management surface, not the protection itself.
- Heartbeat (all tiers). Device id, account id, agent version, integrity-chain head hash, threat count deltas, OS version. No file paths, no command lines, no user identifiers.
- Detection telemetry (Pro+, opt-in). Behavioral feature vectors of detected events. Process hashes, parent-child lineage, MITRE tag. Toggleable.
- Diagnostic bundles (on request).
nemesisctl support-bundlegenerates a redacted .zip. User previews and approves before sending. - What we never collect. File contents. Full command lines. Browser history. Document contents. Keystrokes. Microphone. Camera. Screen.
02 / Residency
Where the data lives, how long it stays.
Primary infra in AWS us-east-2. EU residency available before EU GA.
- Heartbeats. 7 days rolling.
- Detection telemetry. 90 days (Pro / Family / Business), 1 year (MSSP).
- Account & billing. Lifetime of account, 30-day grace post-deletion.
- Audit log. Duration of account; required for SOC 2.
03 / Threat model
The honest version.
What we assume and what we don't.
- The agent will be reverse-engineered. Anti-tamper hardening is equivalent on every platform. macOS:
PT_DENY_ATTACH, hardened runtime, Apple Developer-ID + notarization, Team-ID-pinned self-check (JRMYSV7NC2). Linux: seccompptrace-deny, capability drops, immutable-flag on installed binary, sigstore-signed releases with deterministic builds. Windows: Protected Process Light (PPL) at runtime, DACL hardening, Authenticode EV signing, WHQL-certified minifilter. Raises the bar, not the wall. - A privileged kernel attacker can still blind a single host. That's why detection spans four vantage points and tamper is the alarm.
- The cloud can be hijacked. The agent verifies offline signatures on every command + update. A sinkholed cloud cannot push rogue policy.
- Device JWT is bound to a synthetic auth identity in the System Keychain. Signing out the user does not stop protection.
04 / Disclosure
Reporting a vulnerability.
We respond to security reports within 48 hours. Please email. No embargoed details on social, no public GitHub issues for findings.
- Email: [email protected]
- Scope: agent, cloud console + APIs, all subdomains of
nemesislabs.xyz. - Out of scope: third-party services (Supabase, Stripe, Vercel, Nym). Report to them directly.
- No paid bug bounty yet. We'll credit responsible reporters in release notes (if they wish).
05 / Compliance
Roadmap.
- SOC 2 Type II. Observation window starts at GA.
- GDPR. DPA available on request before EU launch.
- FedRAMP Moderate. Planned for the GovCloud-isolated build (separate from the commercial product).
06 / Legal
Policies that govern use.
- Terms of Service — the master agreement for all products.
- Privacy Policy — what we collect, how we store it, your rights.
- Acceptable Use Policy — what you may and may not do with our tools.
- Data & account deletion — how to request removal.
Got a question this page doesn't answer? [email protected].