EasyCCEasyCC

Security at EasyCC

Last updated: February 7, 2026

Your data stays on your device. Your trust stays with us.

Our Security Approach

Local-First Architecture

The best way to protect your data is to never send it to us in the first place. EasyCC runs entirely on your computer—your files and work stay on your device and are never uploaded to our servers.*

100%
Local processing
0
Files uploaded to our servers (in current version)
Your device
Where your data stays

*Note: When you use Claude AI, conversations are processed through Anthropic's API using your own credentials. See Anthropic's privacy policy.

Future cloud features: Version 2.0 will offer optional cloud sync for Pro users. Free tier will always remain fully local. Cloud sync will use end-to-end encryption.

What We Protect

  • Your credentials: Stored securely in your system's keychain (Windows Credential Manager, macOS Keychain)
  • Your project files: Protected by your operating system's file permissions—never leave your device
  • Your account data: Minimal data collection (email address for login) stored in encrypted databases
  • Auto-updates: Delivered securely over HTTPS with cryptographic signature verification

Security Standards & Compliance

We've designed our security controls following industry-standard frameworks:

  • SOC 2 Trust Service Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy)
  • OWASP security best practices for web and desktop applications
  • Tauri security recommendations for desktop app development

Our Security Controls

We implement defense-in-depth across multiple layers:

Application Security:

  • Input validation on all user inputs
  • Content Security Policy (CSP) to prevent XSS attacks
  • File system operations scoped to project directories
  • Terminal output sanitization to prevent escape sequence injection

Data Protection:

  • Credentials stored in OS-native secure storage (never plaintext)
  • Auto-save with version history (never lose work)
  • File permissions enforced by operating system

Secure Development:

  • Regular dependency audits (cargo audit, npm audit)
  • Static analysis and security linting
  • Code review before all releases
  • Signed installers to prevent tampering

Secure Updates:

  • HTTPS-only update delivery
  • Cryptographic signature verification
  • No auto-execution without user approval

Security Roadmap

Current Focus

  • ✅ Security documentation and policies
  • ✅ Regular dependency audits
  • ✅ Code signing for installers
  • ✅ Transparent security practices

Coming Soon

  • 📋 Third-party penetration testing
  • 📋 Public security bug bounty program
  • 📋 Security awareness training for team
  • 📋 Formal vulnerability disclosure policy

Future Considerations

  • 💭 Additional compliance certifications (based on customer needs)
  • 💭 External security audit
  • 💭 ISO 27001 alignment

Third-Party Services

For our website and account management, we use trusted third-party services:

Supabase - Database and authentication for website accounts. SOC 2 Type II certified.

Vercel - Website hosting with automatic HTTPS and DDoS protection. SOC 2 Type II certified.

Anthropic - Claude AI API (accessed using your own credentials). SOC 2 Type II certified.

Report Security Issues

Found a security vulnerability? We appreciate responsible disclosure.

Email: support@easycc.app

We'll respond within 48 hours and keep you informed throughout the remediation process.

Additional Resources