Last updated: April 8, 2026
dokusan is written from scratch in C. There are no open-source libraries, no package managers, no transitive dependencies. Every line of code is ours. There is no supply chain to compromise because there is no supply chain.
Your data runs on your hardware. There are no API calls to third-party servers. No data leaves your machine. No conversation logs in someone else's data center. No training data contributions. The question and the answer stay with you.
Each customer gets a dedicated machine — not a VM, not a container, not a shared instance. If you host with us, your machine sits in a physically secured data center with controlled access. If you host at your location, you control the physical security entirely.
dokusan does not require inbound internet access to function. For on-premise deployments, the machine can run entirely air-gapped. For hosted deployments, only the ports required for your access (HTTPS for web, a secure tunnel for phone access) are exposed. There are no management backdoors.
Data at rest is encrypted using macOS FileVault (full-disk encryption with hardware-accelerated AES). Data in transit is encrypted via TLS 1.3. Phone access uses end-to-end encrypted tunnels.
In February 2026, a federal judge ruled that conversations with cloud AI platforms are fully discoverable in court (United States v. Heppner). Every prompt, every answer — on the record. dokusan keeps all of that on your private hardware. We have no access to your queries or your data, so there is nothing for us to produce in response to a subpoena.
In March 2026, the Trivy vulnerability scanner was compromised, leading to a supply chain attack on LiteLLM that exposed AWS tokens, SSH keys, and database passwords across thousands of organizations. Separately, a North Korean state actor compromised the Axios npm package — downloaded 100 million times per week — through social engineering of a single unpaid maintainer.
These are not hypothetical risks. They are the cost of trusting code you didn't write, maintained by people you don't know, funded by nobody. dokusan has none of these vulnerabilities.
Our codebase is available for customer audit under NDA. If your compliance team or outside counsel needs to review the code, we'll arrange access. We have nothing to hide because we wrote all of it.
If you discover a security issue, email security@dokusan.ai. We take every report seriously and will respond within 24 hours.