A delegation IDE,
built on trust.
Noztos runs as a local agent on your machine and as a cloud sandbox when you need to be portable. This page explains how that works, what we store, and how it's protected.
Overview
Noztos has two execution surfaces — local and cloud — and you switch between them with one click. Your work stays continuous because the worktree state is mirrored, encrypted, between the two.
- Local — a small companion daemon runs on your Mac. Claude Code or any supported engine spawns there using your existing subscription. Free, no token charge from us.
- Cloud — an isolated Linux sandbox we provision on demand. Same files, same branch, same commit. Costs tokens + compute that come out of your credits or plan.
Architecture
Three pieces talk to each other over HTTPS / SSE. None of them talk to each other directly — everything routes through the Noztos server so authorisation, encryption, and routing decisions happen in one place.
- Companion daemon (local). Installed via npm, runs in your shell. Spawns the AI agent, watches your worktrees, mirrors state to our server.
- Noztos web app. The chat, file explorer, terminal, workflows — everything you interact with lives here. Nothing happens in the browser that the daemon (or cloud sandbox) doesn't execute.
- Cloud sandbox. Spun up on demand. Materialises your worktree bit-perfect from the encrypted mirror, runs the same agent there.
What we store
We store the minimum needed to make the local↔cloud switch instant + your chat history portable across devices. Everything else stays on your machine.
In Postgres
- Account & projects. Email, name, repos you connected, worktrees you created.
- Chat sessions & messages. The full transcript of every conversation, including tool calls and their results. Survives across devices and engine swaps.
- Tasks & workflow runs. The state of every delegated job — pending, running, done — with the iteration history.
- Worktree mirror. A content-addressed map of files in your active worktrees:
path → SHA-256 hash → encrypted blob. Lets cloud reconstruct a bit-perfect copy when you switch.
Never stored
- Local git history beyond what's needed to replay unpushed commits on cloud. Your
.gitdirectory stays on your Mac. - Files git ignores (
node_modules,.next, build artifacts, secrets in.envthat you don't opt-in to mirror). - Your subscription credentials. Claude OAuth tokens stay in your Mac keychain — they never leave your machine.
Encryption & access
Every byte of source code we store is encrypted with a per-user key. Even with full database access, a Noztos engineer cannot read your files without separate access to our KMS — which is audited and 2FA-gated.
| Layer | What it protects |
|---|---|
| TLS in transit | All HTTPS. Daemon, browser, sandbox. |
| Postgres at rest | Disk-level AES-256 (Supabase). |
| Per-user DEK | Each user gets a unique data encryption key. File contents are AES-256-GCM encrypted with it before write. |
| KMS-wrapped master | The DEKs themselves are wrapped by a master key in a hardware-backed KMS. Master never leaves the KMS. |
| Row-Level Security | Postgres policies enforce that user A can never query user B's rows, even on an app bug. |
| Hash integrity | Every blob is re-hashed on read; corrupted or tampered data fails closed. |
| Audit log | Internal access to KMS or admin endpoints is logged. Reads on production data require 2FA. |
Cloud mode
When you click Continue in the cloud on a worktree, we provision an isolated Linux sandbox from a trusted provider (E2B). It runs only your worktree. We materialise the files by fetching the encrypted blobs, decrypting them inside the sandbox, and verifying every byte by SHA-256.
- One sandbox per worktree. No shared state between projects, no cross-contamination between users.
- Ephemeral. Sandboxes are torn down when you switch back to local or after a long idle period. No persistent disk.
- Network egress. Sandboxes can install dependencies and reach the public internet — the same as your laptop would. We don't pin them to a closed network so your code can actually run.
Privacy & deletion
You own your data. You can delete it at any time from the account settings page.
- Right to erasure. Deleting your account revokes your DEK in our KMS — every encrypted byte we still hold becomes mathematically unreadable, immediately. A background sweep purges the actual rows within 7 days.
- Worktree deletion. Removing a worktree drops its mirror state and any active sandbox. Chat history + tasks are preserved (you can opt to wipe those individually).
- Data export. Export your chats, tasks, and worktree manifest at any time as JSON.
FAQ
Do you read my code?
No. Source code lives encrypted, scoped per user, behind RLS. An engineer with database access sees ciphertext, not your files. Decrypting requires separate access to the KMS, which is audited.
What happens if my Mac is offline?
Your daemon queues operations locally and resyncs when it reconnects. If you can't bring local back, switch the worktree to cloud — the encrypted mirror lets the sandbox pick up exactly where you left off.
Can I bring my own API key?
Yes. In cloud mode you can configure an Anthropic or OpenAI key on the project. That way we never see the tokens you spend.
Can I self-host?
Not yet. Enterprise self-hosted is on the roadmap once we hit compliance milestones (SOC 2 / ISO 27001). Until then, talk to us about a private deployment if you have a specific need.
What region is my data stored in?
Currently AWS us-west-2 (via Supabase Postgres). EU residency is planned alongside enterprise.