Security

Simple by design: offline defaults, short-lived tokens, and a small attack surface.

Threat model

BoundMi assumes you value local control over datasets and minimal online exposure. The desktop app works offline, stores annotations in simple JSON beside your images, and never requires an account.

Licensing & device association

• Licenses are signed server-side and validated with a short-lived token.
• Keys can be deactivated to move between devices.
• The device identifier is short and user-visible (you can set it).

Transport security

When the app talks to endpoints (license checks, optional AI, updates), it uses HTTPS/TLS with standard ciphers. Optional AI endpoints are contacted only if you configure them and click AI actions.

Local storage

Projects are plain folders under paths you control, which makes backup and audits straightforward. Use your OS’s encrypted volumes for sensitive datasets.

Updates

Packages are signed where supported and accompanied by SHA-256 checksums. You decide when to install — no forced restarts.

Vulnerability handling

If you believe you’ve found a security issue, email security@boundmi.com with steps to reproduce. We acknowledge quickly, ship a fix, and credit researchers who want recognition.

Last updated: 2025-09-27