Trust

Your meetings stay on your Mac.

Nmonic listens to sensitive conversations — your team's, your customers', sometimes the first take on an idea you haven't sorted yet. That sets a high bar. This page is how we meet it.

EFFECTIVE 2026-06-15 · NEXT REVIEW 2026-09-15

The audio and the transcripts live in your Documents folder. The app runs on your Mac. The only piece that touches a server is the relay that brokers LLM calls — and it holds nothing in memory after the response returns.

i. How sign-in works

Two paths in, one token out. You either tap Sign in with Apple, or you ask for a magic link to your email. Both end the same way: the relay mints an nmk_ bearer token and the app stores it in the macOS Keychain (this-device-only, never synced to iCloud). The token is what authorizes copilot calls from then on.

01
Apple or email
SIWA returns an Apple identity token. Magic link sends a one-shot URL to your inbox.
02
Relay verifies
Apple JWKS check, or the email link redirects to a 60-second one-shot code the app exchanges.
03
Token minted
Previous tokens revoked. New nmk_ issued. Bound to your account, not your device.
04
Stored in Keychain
Service app.nmonic.tokens. This-device-only. Excluded from Time Machine and Migration Assistant.

The magic link uses a code-exchange step on purpose. Corporate email security (Safe Links, Proofpoint, Mimecast) prefetches URLs to sandbox them. If the bearer rode in the redirect, it would land in scanner logs. The 60-second code is useless to anything but the app.

ii. Where your data lives

Three rules. Audio and transcripts on your Mac. LLM calls memory-only on the relay. Calendar read-only and never transmitted.

+ On your Mac
  • Meeting audio captured from your mic and macOS loopback. Written to disk only if you keep the recording.
  • Transcripts and extracted commitments saved as JSON, one file per meeting.
  • Calendar context read from EventKit when you grant permission. Used to label meetings. Never sent off-device.
  • Your Keychain token, scoped to this device only.
~ Through the relay
  • LLM prompts — transcript text only, no audio — route through the relay to Anthropic.
  • Memory-only. The relay holds the request long enough to call the upstream model and stream the answer back. Nothing is persisted.
  • No transcript database. No analytics on what you discuss. No retention.
  • Auth records only. The relay's KV store holds user records, token records, and rate-limit counters. That's the full inventory.
~/Documents/Nmonic/ ├── meeting-1773096613/ # UNIX timestamp = when it started │ ├── audio.m4a │ ├── transcript.json │ └── summary.json └── meeting-1773698169/

iii. What we've audited

On 2026-06-15 we ran an internal adversarial audit of the auth surface — sign-in, token storage, relay endpoints, rate limits, CORS. Twenty findings. Seventeen shipped. Three are deferred as data-hygiene or low-risk nits, tracked openly.

Be clear about what this is: an internal review, not a third-party penetration test. We'll happily run the same surface past your security team or a firm you trust. The full write-up — every finding, the threat model, the suggested fix, the commit that landed it — is in the repo.

Severity
Found
Shipped
Deferred
Status
P0
3
3
0
closed
P1
6
6
0
closed
P2
4
4
0
closed
Nit
7
4
3
tracked

Reading material: the security overview covers the posture in one page. The 2026-06-15 audit has every finding and the commit that addressed it.

iv. What is not in scope yet

Honesty earns trust. Here is what we do not have.

v. Reporting a vulnerability

If you have found something, tell us. We will reply, we will fix it, we will credit you if you want the credit.

Security disclosure security@nmonic.app

Machine-readable disclosure metadata is at /.well-known/security.txt. For non-security questions, hello@nmonic.app is the front door.

vi. Deleting everything

Local app, local data. A few commands and it is gone.

rm -rf ~/Documents/Nmonic # Drag Nmonic to the Trash, or: rm -rf /Applications/Nmonic.app # Revoke the relay token from the sign-in screen, or email security@nmonic.app.

vii. If Nmonic ever vanishes

Because Nmonic is local-first, sunset does not mean what it usually means.

The Nmonic source code stays public on GitHub indefinitely. If we stop developing it, the last working build remains buildable. Your JSON transcripts keep working forever — they are plain text, not a proprietary format. There is no server we can turn off that would make your past meetings unreadable.

— mick.jae.johnson · maintainer

viii. The legal version

This page is the plain-English summary. The full privacy policy lives at /privacy and is the authoritative document if any phrasing here conflicts with it.