SourcePrepSourcePrep
System_Policy: Security_v3.1
← Return Home

Security &
Privacy

LAST_AUDIT: 2026-02-01

VIEW_TERMS_OF_SERVICECONTACT_SEC_TEAM
Architecture_Viewer

01. Local-First Architecture

Assertion: Your source code never leaves your machine.

SourcePrep runs entirely on localhost. Indexes, embeddings, and configuration are stored locally in ~/.local/share/sourceprep (or in-project via embedded mode). There is no cloud component, no server-side processing, and no mechanism to upload source code.

02. Telemetry & Analytics

Usage AnalyticsDISABLED / NONE
Crash ReportingDISABLED / NONE
Behavioral TrackingDISABLED / NONE

03. Network Isolation

The SourcePrep daemon binds to 127.0.0.1:8400 by default. Remote access requires explicit configuration.

# Allowed Outbound Connections
api.sourceprep.ioHTTPS / POST /activate-license (One-time)localhost:*Ollama API (User Controlled / Optional)api.openai...Cloud LLM (User Controlled / BYOK Only)

04. LLM & Embedding Usage

SourcePrep's structural code graph (imports, calls, symbol graphs) and semantic search (via built-in ONNX embeddings) work entirely locally without any external LLM. For deep reasoning and trace enrichment, you may bring your own cloud API keys (BYOK) or connect Ollama locally. We never proxy calls, never store keys, and never mark up token costs.

05. Offline Verification

License activation requires a single online key exchange. After activation, SourcePrep stores a signed Ed25519 license file locally and verifies it offline. No periodic phone-home, no subscription heartbeat.

06. Supply Chain Security

All installers are code-signed and include SHA-256 checksums.

$ shasum -a 256 SourcePrep-1.0.0-mac.dmg
> 7f83b1657ff1fc53b92dc18148a1d65dfc2d4b1fa3d677284addd200126d90bc

Vulnerability Reporting

If you discover a security vulnerability, please report it responsibly. We acknowledge reports within 48 hours.

[email protected]

07. Bug Reports & Debug Logs

SourcePrep includes a one-click bug report feature (accessible from the dashboard log console). When you submit a report, here's exactly what's included — and what's not:

Included in Reports

  • App version & OS info
  • Index stats (file count, chunk count)
  • Pipeline stage & build status
  • Error messages & stack traces
  • Your description & steps to reproduce

Never Included

  • X Source code or file contents
  • X Index embeddings or vectors
  • X File paths beyond project root name
  • X LLM prompts or responses
  • X License keys or credentials

Bug reports are previewed before submission — you can review every field. If you're offline or prefer not to send data, the report is saved as a local JSON file you can inspect and email manually to [email protected].

Privacy Policy

LAST_UPDATED: 2026-02-01

08. Data Inventory

Executive Summary: SourcePrep is a local-first desktop application. Your source code never leaves your machine. We collect the absolute minimum data needed to operate the business — license activation and optional support requests. That's it.

Not Collected

  • X Source Code & Files
  • X Index Data / Metadata
  • X Telemetry / Usage Stats
  • X AI Prompts / Responses

Collected

  • License Key (Activation)
  • Machine ID (Hardware Lock)
  • Email (Support/Billing)

09. Payments

Payments are processed by Lemon Squeezy, our Merchant of Record. SourcePrep Inc. does not store credit card numbers, banking information, or tax IDs.

10. Data Retention

Data TypeRetention Period
License RecordsLifetime of active license + 2 years
Support Tickets2 years from closure
Server Logs30 days (rolling)

Compliance Officer

For data deletion requests or GDPR/CCPA inquiries:

[email protected]