Back to decli
Security

Security & trust

Last updated: June 28, 2026

Security-first architecture

decli treats your machine as the source of truth. Cloud features are opt-in and encrypted client-side when enabled.

Local vault encryption

API keys encrypted with AES-256-GCM. Keys never leave your device unless you enable sync.

Keychain integration

Optional macOS Keychain and 1Password CLI storage instead of flat files.

TLS 1.3 in transit

All HTTPS endpoints (*.decli.lvh.me locally, *.decli.dev in production) require modern TLS.

Zero-knowledge backups

Pro workflow backups encrypted with a passphrase-derived key — we cannot read contents.

Responsible disclosure

If you discover a vulnerability in decli, the CLI, or our APIs, email security@decli.dev with reproduction steps. We aim to acknowledge within 48 hours and ship fixes on a responsible timeline. We credit researchers in our changelog when desired.

Infrastructure

Production hosting uses industry-standard cloud providers with SOC 2 compliance. Payment processing is handled by Stripe. We maintain a minimal data footprint — see Privacy Policy.

Report vulnerabilities: security@decli.dev