On-device by design
DataMoat does not upload prompts, transcripts, tool output, files, skills, attachments, search history, or memory encryption keys to a DataMoat cloud service.
Security model
On-device memory. Encrypted work traces. Keys stay local.
DataMoat is designed so protected transcripts, skills, state, and attachments are encrypted at rest. There is no DataMoat cloud memory; transcripts, skills, attachments, memory databases, search history, and memory encryption keys are not sent to DataMoat. The UI binds locally to 127.0.0.1, authenticated sessions use local cookies, and the current audit log can be checked with a hash chain.
Security at a glance
Strong unlock paths
Source installs support password, optional TOTP, a 24-word recovery phrase, and one-time recovery codes. Packaged macOS builds add Touch ID on supported Macs.
Honest limits
If malware controls an already-unlocked endpoint or reads your screen, no local memory can fully protect visible plaintext.