Architecture, in plain English
Dart Browser is a desktop application built on a hardened Chromium fork. It runs locally on your machine. The Dart Agent indexes your web context locally — your history, tabs, bookmarks, and local files — and answers queries using the model you have configured (local or cloud-based).
If you enable cloud sync (Pro tier and above), a small synchroniser sends a compressed representation of your semantic index to our servers so your agent has context across devices. This is index structure only — not URLs, not page content, not agent conversation text. The wire format contains vector embeddings and timestamps, not human-readable browsing data.
Encryption
- In transit. All connections from the browser and our website use TLS 1.3. Post-quantum hybrid key exchange (X25519 + ML-KEM-768) is enabled by default for connections to our services.
- At rest (cloud). Cloud-stored data is encrypted with AES-256-GCM at the storage layer, with keys managed by AWS KMS.
- At rest (local). The local semantic index is encrypted with AES-256 when full-disk encryption is not detected on the host OS. Encrypted using a key derived from your hardware identity key.
- Credentials. LLM API keys live in the OS keychain (Keychain on macOS, DPAPI on Windows, libsecret on Linux). They are never written to our database or transmitted.
Hardware identity layer
Dart’s identity layer uses your device’s secure hardware module to generate and store your identity key:
- TPM 2.0 on Windows and Linux: key generation and signing operations happen inside the chip. The private key is non-exportable at the hardware level.
- Apple Secure Enclave on macOS: same guarantees via the Secure Enclave Processor (SEP).
- Post-quantum algorithms. New identity keys are generated using ML-DSA (CRYSTALS-Dilithium). Session key exchanges use ML-KEM-768 (CRYSTALS-Kyber) in hybrid mode with X25519 for backwards compatibility.
The hardware attestation token — a signed certificate binding your key to your hardware — can be provided to relying parties (e.g. enterprise SSO) as proof of device health without revealing the private key.
Authentication & access control
- Personal accounts use passkeys (WebAuthn/FIDO2) or email + magic link. We do not store passwords.
- Team and Enterprise tiers support SSO via OIDC (Google Workspace, Microsoft Entra ID, Okta).
- Enterprise supports SCIM for user provisioning.
- All admin actions are logged and require re-authentication.
Subprocessors
We use a minimal set of operationally-required service providers:
- Amazon Web Services. Hosting, storage, compute. US regions.
- Stripe. Payment processing.
- Postmark. Transactional email.
- Sentry. Error tracking. Configured to scrub user content. Crash reports are opt-in only.
- Plausible Analytics. Privacy-respecting marketing analytics (no cookies, no personal data).
Compliance roadmap
- SOC 2 Type I. Audit underway; report expected Q4 2026.
- SOC 2 Type II. Observation window underway; report targeted end of 2026.
- GDPR / UK GDPR. Covered by our Privacy Policy and Data Processing Addendum (DPA available on request).
- HIPAA. Not applicable by default. Enterprise air-gapped deployments with local-only data may be HIPAA-compatible; contact enterprise@dartbrowser.com.
Air-gapped deployments
Enterprise customers can deploy Dart Browser in fully air-gapped environments. In this configuration: no cloud sync, no licence validation calls (offline licence tokens issued), no update server connections. The agent runs exclusively on a local model. Contact enterprise@dartbrowser.com for air-gap deployment guides.
Vulnerability disclosure
We operate a responsible disclosure programme. If you discover a security issue in Dart Browser, please email security@dartbrowser.com. We will acknowledge within 24 hours and aim to patch critical issues within 7 days. We request 90 days before public disclosure to allow time for a fix.
PGP key available on request from the same address.
Security questionnaires
Enterprise buyers often require a completed security questionnaire. Send your questionnaire to security@dartbrowser.com and we will turn it around within 5 business days.