Security
Straight answers to the security review.
Krellix is desktop software that runs on the operator's Windows machine. Collected data never touches a Krellix server, and the product does not phone home. This page documents the design decisions that make that true today.
§ 02/Current security posture
What's in place today.
- 01Local-only processing — collected email and documents never leave the operator's machine
- 02No telemetry — the app does not phone home and collects no usage analytics
- 03No cloud upload — Krellix has no server-side storage of customer content
- 04Encrypted local cache for in-flight collection state
- 05OAuth tokens stored in Windows DPAPI via the MSAL secure cache
- 06Crash logs written only to %APPDATA% on the operator's machine
- 07Delegated OAuth scopes only — never Application permissions
- 08Outbound traffic limited to Microsoft Graph and a public RFC 3161 timestamp authority
- 09Self-running verification script bundled with every export (VerifyTimestamp.bat)
§ 03/Coming next
Certifications we're working toward.
Status mirrors the public roadmap. For formal compliance documentation today, request the current posture document at security@krellix.app.
EV code-signing certificate
In progress
Certificate ordered. Pilot installers signed once issued.
Microsoft Publisher Verification
In progress
Submitted. When approved, sign-in shows the verified-publisher badge.
SOC 2 readiness program
Planned
Documentation and process work scheduled, not yet underway.
Microsoft 365 App Compliance Program
Planned
Working toward Publisher Attestation and full M365 Certification.
SOC 2 Type II audit
Not in v3.x
Not on the v3.x roadmap. We're being upfront rather than implying it's imminent.
§ 04/Data flow
Where collected messages go.
| Collected messages and attachments | Operator's local disk, under the export folder they chose |
| SHA-256 / MD5 hashes | Operator's local disk, inside 06_HashManifests/ |
| Chain-of-custody manifest | Operator's local disk, inside 06_HashManifests/ |
| Hash of the manifest (for TSA request) | Sent to a public Time Stamp Authority — DigiCert, Sectigo, or GlobalSign |
| Access token (OAuth, short-lived) | Windows DPAPI-protected token cache, operator's user profile only |
| Refresh token | Same DPAPI-protected cache, cleared on sign-out |
| License file | Operator's user profile, issued by Krellix license server at purchase time |
| Telemetry / usage analytics | Not collected. The app does not phone home. |
§ 05/Microsoft Graph permissions
The scopes we ask for, and why.
User.ReadBoth modesRead the operator's profile for the chain-of-custody manifest.
Mail.ReadBoth modesRead mail from /me/messages in Personal mode, and fall back to the operator's own mailbox for self-collection scenarios.
People.ReadBoth modesPower the Outlook-style autocomplete on the by-correspondent picker. Read-only against /me/people; no contact data is exported.
offline_accessBoth modesRefresh token so a long collection doesn't require re-authenticating every hour.
Mail.Read.SharedEnterpriseRead a custodian's mailbox, authorized by Add-MailboxPermission granting the operator Full Access.
Files.Read.AllEnterpriseRead files from custodian OneDrive. Admin-restricted.
Sites.Read.AllEnterpriseRead files and pages from SharePoint sites the operator has membership on. Admin-restricted.
Security conversation
Want a deeper security conversation before a pilot?
Email and we'll set up a 30-minute call to walk through the data flow, the signing infrastructure, and any questions your infosec team wants answered in writing.