Perchnote raven, perched on a meeting notePerchnote

00 / Security

Paranoid on purpose.

Meeting audio is some of the most sensitive data on your machine. Perchnote is built so you do not have to trust us with it.

What stays local

Recording, transcription, speaker identification, and semantic recall all run on your Mac. Audio, transcripts, notes, and the database live under your own user folder. Daily backups are written locally too.

~/Library/Application Support/com.perchnote.app/

What can leave, and only when you choose

If you pick the Anthropic provider, the relevant transcript text (never the audio) goes to the API to generate notes or answer a question. If you share to Slack, the summary goes to your channel. Ollama and Apple Intelligence keep everything on-device. That is the whole list.

How the app is hardened

Secrets live in the Keychain

API keys, OAuth tokens, and webhook URLs go to the macOS Keychain, which is OS-encrypted. The database never holds a bearer token.

Hard content security policy

No unsafe-eval. Outbound connections from the UI are allow-listed. The web layer cannot phone home on its own.

No shell access

The UI cannot spawn processes or open arbitrary URLs. Opening a link goes through one narrow, scheme-checked command.

SSRF guards on calendar fetches

ICS feeds are fetched with a guard that rejects loopback, private, link-local, and cloud-metadata addresses, and refuses cleartext HTTP.

Paths and IDs validated

IDs are checked as UUIDs before they touch the filesystem, and every path is canonicalized against the app data folder.

Prompt injection treated as data

Transcripts and notes are fenced before they reach a model, and the system prompt says to treat fenced content as data, not commands.

One honest caveat: the database itself is plain SQLite. Turn on FileVault for at-rest protection of everything outside the Keychain. And if you want the long version, the full threat model is public. Check our work.