Security & trust

Zoe acts in the world.
Here's how we make that safe.

When an AI can read your files, search the web, automate your browser, and run scripts on your machine, the safety model matters. Here's exactly how Zoe's security infrastructure works — and why it starts from a position of default-deny, not default-trust.

Policy model

Default-deny execution

Every autonomous capability is off until you explicitly enable it. File access, web search, browser automation, script execution — none of it runs without your policy allowing it. The default state is: Zoe asks, you approve.

Scope control

Resource pattern policies

You don't just turn capabilities on — you specify exactly what they can touch. Define which folders, domains, and services agents can access. Agents are bounded to the paths and services you define.

Rate limits

Daily action limits

Set a maximum number of file writes, web searches, browser actions, or tool calls per day — per action type. Zoe checks the counter before every tool call and stops at 95% of your limit to prompt before exceeding it.

Audit trail

Immutable audit log

Every tool call — allowed or blocked — is written to an immutable audit log with timestamp, result, and cost estimate. Security events (delivery blocked, symlink rejected, tool budget exceeded) are logged separately. 30-day minimum retention.

Abort control

Abort at any time

Running agent doing something unexpected? One tap stops it mid-execution. Zoe polls for abort requests before every model call. When stopped, it tells you exactly what actions completed before the abort — and notes that completed work is not automatically reversed.

Encryption

End-to-end encryption

All API keys, OAuth tokens, and webhook secrets are encrypted using industry-standard encryption. Keys are never stored in plaintext. Your credentials stay secure.

Data sensitivity

Confidential task routing

Tasks marked as confidential or private are never routed to cloud models — they run exclusively on local models via your Desktop Bridge. Storage access is limited. Agent names and domains are excluded from logs.

Model ownership

BYO API keys

You connect your own API keys for OpenAI, Anthropic, Gemini, or local models via Ollama. We never hold your model credentials. Your usage, your billing, your control.

Authentication

Three-surface auth

Web app uses secure session cookies. Desktop app stores credentials in your system Keychain. Phone app uses secure device storage. All authentication tokens are stored securely and never exposed.

Network security

Network security

Webhook URLs are validated to prevent security attacks. Web content is sanitized before agents see it — agents never receive raw web data that could contain malicious code.

File safety

File safety

Files are read and written with security protections to prevent attacks. Delivery destinations are validated at task approval time so they can't be changed between approval and delivery.

Non-negotiable

No security delegated to LLMs

Security enforcement lives in code, not in prompts. We never rely on an AI model to decide whether an action is safe. All policy checks, rate limits, and security boundaries are enforced at the infrastructure layer.

The non-negotiables

  • No security decision is ever delegated to an AI model — enforcement lives in code, not prompts
  • When the database is unavailable, Zoe returns an error — it never fails open
  • Encryption keys are used only for their intended purpose and never cross purposes
  • Session tokens are never passed in URLs
  • All security comparisons use constant-time equality to prevent timing attacks

Questions about our security model?

Get started freeContact security team