Skip to main content
Security and trust boundary

Clanker Cloud security and trust boundary

The desktop keeps cloud credentials and cluster contexts on the machine running the app. Local MCP and optional bring-your-own-key model calls use that local runtime.

Hosted inference, voice, shared sandboxes, and enabled web-to-desktop relay are separate data paths. Clanker DevOps and Clanker Secretary use the Standard shared service, which currently uses the Gemini Developer API and shared global Cloudflare services. Secretary Pro starts protected onboarding, and any sovereign service is separately contracted; neither protected boundary is active until verified and activated in writing.

Credential custody can stay local, but content sent to hosted inference, voice, sandboxes, or remote relay crosses the boundary of the corresponding hosted service.

Credentials stay local

Cloud credentials, kubeconfig contexts, and repo access remain on the machine running the desktop app for normal local workflows.

BYOK is optional

Desktop model calls can use a team’s own provider key or local endpoint. Standard hosted inference instead uses the Clanker Cloud Gemini Developer API path.

Hosted paths are explicit

Standard sandbox content and hosted voice use Cloudflare services. Enabled web access temporarily relays instructions and responses to an enrolled desktop.

Review before apply

Read and plan flows come before execution, and maker mode requires explicit operator approval.

Supported providers

Works across the environments teams already run

The current product positioning covers cloud providers, Kubernetes, GitHub, and bring-your-own AI keys from one local operating surface.

Supports ->AWSGCPAzureOracle CloudTencent CloudKubernetesCloudflareHetznerDigitalOceanVercelGitHubBYOK
Boundary map

Where trust stays and where traffic goes

SurfaceWhere it livesWhat it means
Cloud credentials and kubeconfigLocal machineRaw provider access stays with the operator for normal desktop workflows.
Desktop workspace and chat historyLocal application files and SQLiteContent is not application-level encrypted today. Regulated deployments require FileVault, BitLocker, or equivalent managed full-disk encryption, device access controls, and an approved backup policy.
Desktop BYOK or local inferenceChosen provider or operator endpointPrompts and selected context go to that provider or endpoint; provider terms apply.
Standard hosted inferenceGoogle Gemini Developer APIPrompts and selected context are processed through the current hosted model path. Standard is not a protected regulated-data environment.
Standard sandboxes and hosted voiceShared global Cloudflare servicesSubmitted commands, files, runtime data, audio, transcripts, or speech cross the shared Standard boundary; account region is not a residency guarantee.
Web-to-desktop relayClanker Cloud portal and Google Cloud control-plane relay to an enrolled desktopWhen explicitly enabled, instructions, responses, status, device identifiers, and limited diagnostics are processed by a relay that is not end-to-end encrypted. Protected and sovereign accounts currently reject this path.
MCP endpointAuthenticated localhost runtimeLocal agents use a rotating per-launch capability; a bare endpoint URL is not authorized.
Execution approvalOperator in the appChanges require deliberate maker-mode approval.
Security model

Boundary rules in the current service

  • Normal local workflows do not require Clanker Cloud to permanently store cloud credentials or kubeconfigs.
  • Local-first does not mean the desktop content database is application-level encrypted. Regulated endpoint approval must verify managed full-disk encryption, account controls, screen locking, backup handling, and device recovery or wipe procedures.
  • BYOK is available for desktop workflows, but it is not the data path for every feature or the Standard hosted default.
  • Standard is a shared global service and must not be treated as a residency, HIPAA, CJIS, GDPR, professional-secrecy, or government compliance boundary.
  • A Secretary Pro purchase starts protected design and onboarding only; sovereign service is separately contracted. The current control plane rejects active protection until the private data plane and verified operator controls are delivered.
  • No silent background apply step hidden behind a chat response.
Best fit

Who cares about this boundary most

Teams with real infra

Operators with privileged access

Useful when production access already exists and the priority is faster grounded operations without moving that access to another vendor.

Cautious environments

Organizations that need local control

Local credential custody can reduce one hosted risk, while inference, sandbox, voice, relay, retention, identity, and contract boundaries still require separate review.

Agent-heavy workflows

Teams connecting their own agents

The local MCP surface keeps agent integrations close to the operator runtime and existing credentials.

FAQ

Common questions

Do credentials leave the machine?

Raw cloud credentials and kubeconfig contexts stay on the local machine for normal desktop workflows. Selected infrastructure evidence can be sent to the configured model provider, and content submitted to hosted inference, voice, sandboxes, or remote relay crosses those separate service boundaries.

Does Clanker Cloud require a hosted control plane for normal operations?

The desktop’s core provider workflow and local MCP surface run locally. Standard hosted inference, account services, shared sandboxes, hosted voice, downloads, and enabled web-to-desktop relay use hosted Clanker Cloud services.

How do other agents connect safely?

Local agents use the authenticated MCP endpoint and its rotating per-launch capability. Web access is a different, opt-in Google Cloud relay that is not end-to-end encrypted and requires an approved enrolled desktop; protected and sovereign accounts currently reject remote relay use.

Is Standard suitable for sensitive or regulated data?

No protected boundary is active in Standard. Clanker DevOps and Clanker Secretary use that Standard boundary. Do not submit sensitive or regulated data to hosted workflows until a Secretary Pro protected or separately contracted sovereign environment, approved providers, identity controls, retention terms, and required agreements are verified and marked active in writing.

Is desktop workspace content application-level encrypted?

Not today. Desktop workspace and chat content uses local application files and SQLite. A regulated deployment must enforce FileVault, BitLocker, or equivalent managed full-disk encryption plus managed device access, backup, recovery, and wipe controls until application-level content encryption is delivered and migrated.

Next step

Need the architecture view?

Read the workflow explainer or Cloud for Agents for the operational details behind this trust model.