Trust & Security
Your Code Stays on Your Computer
NORDON was built with one simple rule: your data is yours. We designed the entire system so that your code and context never leave your machine unless you decide otherwise.
Security by Design
31+ secret patterns redacted · 28+ file types blocked · SSRF protection · CSP headers · Rate limiting · Zero telemetry · Local-first always
Security isn't a feature we added — it's the foundation we built on. Every design decision starts with "how do we keep the developer's data safe?"
Your code stays on your computer
NORDON runs entirely on your machine. All your memories, decisions, and coding context are stored in a local database file. Nothing goes to the cloud. Nothing leaves your computer. It's like keeping a diary that only you can read.
We don't see your data
We have no access to your code, your memories, or your projects. We don't collect usage data. We don't track what you're building. We built NORDON so that your data is yours — completely and permanently.
31 secret patterns, automatically redacted
If your AI assistant encounters API keys, passwords, tokens, or credentials during a session, NORDON automatically detects and removes them before storing any memory. The policy engine scans for 31 distinct secret patterns — including AWS keys, GitHub tokens, Stripe keys, JWTs, database connection strings, and more. Your secrets never end up in memory entries, even by accident.
28 file types, automatically ignored
Files like .env, private keys, credentials files, and certificate files are never read or stored. NORDON has a built-in blocklist of 28 sensitive file patterns, and you can add your own. If a file shouldn't be remembered, it won't be.
Encrypted when stored, encrypted when shared
Your local database can be encrypted at rest. If you choose to share memories with your team, everything is encrypted end-to-end before it leaves your machine. The encryption keys stay with you — we never have them.
You can see everything that happens
Every time NORDON reads, writes, or shares a memory, it's logged. You can review the full audit log anytime. If you need to prove to your security team exactly what NORDON does, the logs have the answer.
Your team sets the rules
With team and enterprise plans, you can create rules about what gets stored, how long it's kept, and who can see it. Rules are enforced locally on every developer's machine — no exceptions.
Server-Side Request Forgery prevention
The NORDON API validates and sanitizes all URLs and webhook targets. Internal network addresses are blocked by default. Configurable allowlists ensure webhooks can only reach approved destinations.
Content Security Policy headers on every response
The dashboard and API include strict Content Security Policy headers to prevent XSS attacks. Script sources, style sources, and connection targets are all explicitly whitelisted.
Built-in rate limiting on all API endpoints
Every API endpoint has configurable rate limits to prevent abuse. The daemon tracks request rates per-client and returns clear error messages when limits are exceeded.
Built for regulated industries
Because everything runs locally by default, NORDON is a natural fit for teams that need SOC2, GDPR, or HIPAA compliance. Data stays where your compliance team wants it — on your own infrastructure.
Questions
Have security questions?
We're happy to answer any questions about how NORDON handles your data. Whether you need a security review for your team or want to report a concern, we're here.