Local-first
DataMoat does not upload prompts, transcripts, tool output, files, attachments, or search history to a DataMoat cloud service.
Security model
An encrypted local vault for AI work history, not a plaintext transcript folder.
DataMoat is designed so backed-up transcripts, state, and attachments are encrypted at rest. The UI binds locally to 127.0.0.1, authenticated sessions use local cookies, and audit events can be verified with a hash chain.
Security at a glance
Strong unlock paths
Source installs support password, optional TOTP, a 24-word recovery phrase, and one-time recovery codes. Packaged macOS builds add Touch ID on supported Macs.
Honest limits
If malware controls an already-unlocked endpoint or reads your screen, no local vault can fully protect visible plaintext.