Security & Trust Center

How SorvoAI protects your data at every layer.

Architecture Overview

SorvoAI uses a client-server architecture with a native desktop application (Electron) and a centralized API server. There is no web application by design — native apps provide stronger security boundaries, system-level integration, and reduced attack surface compared to browser-based alternatives.

Client (Your Device)

• Native desktop app (Windows, macOS)
• Screen analysis runs locally — raw screenshots never leave your device
• Authentication tokens stored in OS keychain via Electron safeStorage
• Auto-update via signed NSIS installers with SHA-512 verification

Server (Cloud)

• API server on dedicated VPS (not shared hosting)
• PostgreSQL database with pgvector for semantic search
• Redis for job queues, caching, and real-time pub/sub
• BullMQ for async job processing with dead-letter queue

Data Flow: What Stays Local vs. What Leaves

Stays on your device

• Raw screen captures and screenshots
• Authentication tokens and session keys
• Local application cache
• Offline data cache (encrypted)

Transmitted to server (encrypted via TLS 1.3)

• Chat messages and responses
• Screen analysis metadata (app name, window title — not pixels)
• Calendar events, email metadata, and synced data
• Memory artifacts, entity graph, and intelligence outputs
• File uploads (for knowledge base)

Encryption Model

• In transit: All API traffic encrypted via TLS 1.3
• At rest: Database encrypted at the volume level
• Enterprise E2E: Optional client-side end-to-end encryption via libsodium (X25519 + XChaCha20-Poly1305)
• Token storage: OS keychain integration (Windows DPAPI / macOS Keychain)
• Sensitive fields: API keys, OAuth tokens, and SMTP credentials encrypted via AES-256-GCM before storage

Authentication & Access Control

• JWT-based authentication with short-lived access tokens (15 min) + long-lived refresh tokens
• Brute-force protection with progressive lockout
• Enterprise: SAML 2.0, OIDC, Okta, Azure AD support
• Enterprise: IP allowlisting for network-level restriction
• Role-based access control for team workspaces

Data Retention & Deletion

• Events archived after 90 days (soft delete, recoverable)
• Working memory expires after 24 hours
• Screen events retained per user preference (default: 30 days)
• Full account deletion with 72-hour grace period
• GDPR data export available (ZIP format, all user data)

AI Model Usage

• Primary model: Qwen 3 235B Instruct (self-hosted inference)
• Reasoning: Qwen 3 Thinking
• Enterprise: Claude Sonnet 4 (via Anthropic API)
• We never train models on your data. Your conversations, memories, and files are never used for model training.
• Content boundaries prevent sensitive data from reaching LLM contexts

Subprocessors

• Hostinger VPS: Application hosting (dedicated, not shared)
• OpenAI API: Embedding generation (text-embedding-3-small)
• SendGrid: Transactional email (agent email, webhooks)
• PostHog: Product analytics (anonymized usage data only)
• Sentry: Error monitoring (no PII in error reports)
• Google APIs: OAuth, Calendar sync, Gmail sync (user-authorized)

Compliance Roadmap

• GDPR: Data export, deletion, and consent management implemented
• SOC 2 Type II: On roadmap for 2026 Q4
• HIPAA: Not currently supported (healthcare use not recommended)
• ISO 27001: Under evaluation

Reporting Vulnerabilities

If you discover a security vulnerability, please report it to security@sorvoai.com. We take all reports seriously and will respond within 48 hours.