Security & trust
Last updated: June 28, 2026
Security-first architecture
Local vault encryption
API keys encrypted with AES-256-GCM. Keys never leave your device unless you enable sync.
Keychain integration
Optional macOS Keychain and 1Password CLI storage instead of flat files.
TLS 1.3 in transit
All HTTPS endpoints (*.decli.lvh.me locally, *.decli.dev in production) require modern TLS.
Zero-knowledge backups
Pro workflow backups encrypted with a passphrase-derived key — we cannot read contents.
Responsible disclosure
If you discover a vulnerability in decli, the CLI, or our APIs, email security@decli.dev with reproduction steps. We aim to acknowledge within 48 hours and ship fixes on a responsible timeline. We credit researchers in our changelog when desired.
Infrastructure
Production hosting uses industry-standard cloud providers with SOC 2 compliance. Payment processing is handled by Stripe. We maintain a minimal data footprint — see Privacy Policy.