Your notes never leave your device

Process isolation

Moss is built on Electron with context isolation enabled. This means the user interface (the renderer) runs in a separate process from the system-level code and cannot directly access Node.js, the filesystem, or any Operating System APIs. The two sides communicate through a narrow, explicitly defined bridge (the “preload”) with typed message channels, so even if a vulnerability were introduced in the UI layer, it could not escalate to system access without passing through that controlled interface, which only accepts an explicit message format.

Agent sandboxing

The AI agent's file and shell operations are confined to the ~/Moss/ workspace directory. Write operations are further restricted to Markdown (.md) files. The agent cannot modify application metadata, configuration files, or anything outside the workspace. Web research tools (WebFetch, WebSearch) are proxied through Anthropic's servers with no direct connections to third-party sites. The agent also has sandboxed Bash access with its working directory locked to the workspace. Shell commands execute locally and are subject to the model's built-in safety constraints.

Path traversal & symlink protection

Before any file operation, paths are resolved to their real, absolute location on disk, following symlinks to their true destination. This prevents an attacker from using symbolic links or ../../ sequences to escape the workspace boundary. Paths containing null bytes (a classic injection technique) are also rejected outright.

SSRF prevention

Server-Side Request Forgery (SSRF) is an attack where a system is tricked into making network requests to internal services it shouldn't access. Moss blocks the AI agent from fetching any private or internal network address, including localhost, 10.x, 192.168.x, 172.16.x, link-local ranges, and .local domains, before the request ever leaves the application.

No runtime code loading

The application ships as a self-contained binary with no external code dependencies at runtime. There are no CDN dependencies, dynamically loaded scripts, or runtime code fetches. Updates are delivered as signed, notarized binaries through Electron's built-in updater (see Code signing below) — not as live code patches. This eliminates supply-chain attacks where a compromised external resource could inject malicious code into a running session.

Code signing & notarization

Every release is signed with an Apple Developer certificate and notarized by Apple, meaning Apple has scanned the binary for known malware before distribution. macOS verifies this signature before allowing the app to run, and Electron's built-in updater verifies the signature of each update before applying it. This ensures that the code running on your machine is exactly what was published and has not been tampered with in transit.

Encryption at rest

Notes are stored as plain Markdown files on your local filesystem. Moss does not add a proprietary encryption layer because your operating system already provides full-disk encryption — FileVault on macOS (XTS-AES-128). This means notes are protected by the same encryption that secures the rest of your device, managed by your organization's existing endpoint policies.

Credential storage

Authentication is handled by the Claude Code CLI, which stores credentials in macOS Keychain — the operating system's encrypted credential vault, the same store used by Safari, Mail, and other system applications. Credentials are written to the Keychain via the CLI's own secure storage path. Moss does not read, copy, or cache these credentials; the SDK subprocess accesses them directly through the CLI's credential store. Moss just knows whether you are logged into the Claude Code CLI.

Local session history

Each AI agent session records the user prompt, agent response text, tool call names and counts, model used, and start/end timestamps in the note's local meta.json file. This data remains on your device and is never transmitted externally. If your organization has additional auditing requirements, contact security@mossnotes.app.

Authentication flow

AI features require authenticating through the Claude Code CLI (claude), which handles the full OAuth flow (Authorization Code with PKCE) and credential lifecycle. PKCE (Proof Key for Code Exchange) prevents authorization code interception by binding each login attempt to a cryptographic challenge (SHA-256). Moss checks for valid CLI credentials at startup and surfaces the status in Settings, but does not participate in the authentication exchange itself — there is no login flow, token refresh logic, or credential management code in the Moss application.

Data residency

All notes reside on your device in the jurisdiction of your choosing. No cross-border data transfer occurs for stored notes. When the AI agent is used, prompts and referenced note content are transmitted to Anthropic's US-based API. Organizations with strict data residency requirements should evaluate this against their policies. See Anthropic's Privacy Policy for API data handling details.

Data sovereignty

You retain full ownership and control of all note data. Notes are standard Markdown files on your filesystem. No proprietary format, no vendor lock-in, no export process needed. If you stop using Moss, your files remain exactly where they are, readable by any text editor.

GDPR (EU General Data Protection Regulation)

GDPR governs the collection and processing of personal data for EU residents. Moss collects only pseudonymous telemetry (a random device UUID and event names) with no mechanism to link it to an identified individual. No note content, user names, email addresses, or other directly identifying information is collected. AI usage is opt-in. The absence of user accounts means there is no personal data profile to manage or breach, and access requests can be fulfilled by uninstalling the app (which removes the local device ID).

CCPA (California Consumer Privacy Act)

CCPA gives California residents the right to know what personal information is collected and to request its deletion. Moss does not collect personal information as defined by CCPA. Telemetry uses an anonymous device ID with no way to link it to a named individual. No data is sold or shared with third parties for advertising.

NYDFS Cybersecurity Regulation (23 NYCRR 500)

New York's financial cybersecurity regulation requires covered entities to assess and manage third-party service provider risk. Because Moss stores data locally rather than in a vendor-managed cloud, it reduces the scope of third-party risk assessments for stored data. The AI agent is the only external dependency. Its data handling is governed by Anthropic's Privacy Policy and can be evaluated independently. AI features are opt-in and can remain disabled.

DORA (EU Digital Operational Resilience Act)

DORA requires financial entities to manage ICT third-party risk, including concentration risk from critical cloud providers. Moss's local-first architecture means your notes are available even if every external service goes offline. The only third-party ICT dependency is Anthropic's API for optional AI features, a clearly bounded, non-critical dependency that does not affect core note-taking functionality.

Right to deletion

Delete a note by deleting its directory from your filesystem. There are no Moss-side server copies, no recycle bins in a vendor cloud, and no retention policies to navigate. If the AI agent was used, prompts and referenced content were transmitted to Anthropic's API; Anthropic's data retention policies govern that data (see their Privacy Policy). Telemetry data is pseudonymous and cannot be linked back to an individual user.