Security & Privacy

Your data.
Your machine. Full stop.

Genesis OS was designed from day one with a single non-negotiable constraint: your data never leaves your hardware without your explicit, knowing consent.

Privacy Guarantees

Six commitments
that cannot be revoked

Zero cloud telemetry

Genesis never calls home. No analytics, no error reporting, no A/B testing. There are no remote servers to send data to — because Genesis doesn't have any.

No cloud LLM APIs

All AI inference runs locally via Ollama. Your prompts, conversations, and context never touch OpenAI, Anthropic, Google, or any external API. Zero. Always.

Air-gap compatible

The full Genesis OS stack — including model weights, database, and voice — operates with no internet connection whatsoever. Pull the ethernet cable and everything still works.

You control your memory

All memories are append-only. Nothing is silently deleted. To remove a memory, you make an explicit memory.delete(id) API call — always initiated by you.

Open source — verify it yourself

The entire codebase is MIT licensed and publicly auditable. If you don't trust us, read the code. Every network call, every data write, every LLM prompt can be inspected.

Destructive action approval

Before any tool that writes files, executes shell commands, or sends messages runs, the UI shows you exactly what will happen and waits for your explicit confirmation.

Data Model

Where your data
goes — and doesn't

🏠
Stays on your machine — always
Your conversations and chat history
All files in your workspace
ChromaDB vector embeddings
SQLite memory database
Voice recordings and transcriptions
Screenshots and camera captures
Your identity profile and preferences
LLM model weights (via Ollama volumes)
🚫
Never leaves — no exceptions
Chat prompts and AI responses
Tool execution arguments
File contents read by the AI
Voice audio or transcriptions
Error logs or stack traces
Usage statistics or metrics
⚙️
Leaves only if you explicitly configure it
Web search (only search query, via local SearxNG)
Email (only when you explicitly say "send email")
URLs fetched by AI Browser (only the URL, not your identity)
Cloud model APIs (opt-in plugin only, not installed by default)
🔒

Network isolation

In Docker, all services communicate over an isolated Docker network. The daemon, Ollama, memory, and voice sidecars are not exposed to the public internet by default. Port 3000 serves only the UI.

🗄️

Storage encryption

Genesis stores data in GENESIS_DATA_DIR (default: ./data). Enable full-disk encryption on your OS (LUKS, FileVault, BitLocker) for at-rest encryption — Genesis doesn't need to do anything extra.

👤

Authentication

The daemon includes optional JWT authentication middleware (packages/daemon/src/auth.js). Pair with Caddy + Authelia for secure LAN access when hosting for a small team.

Approval System

Every destructive action
waits for you

GENESIS_APPROVAL_MODE=true (the default) means the AI can never write files, run shell commands, send emails, or delete anything without presenting you a clear confirmation UI first. You see exactly what will run, can edit it, or cancel.

  • Every tool with requiresApproval: true emits to the event bus
  • UI shows command/arguments with syntax highlighting before executing
  • Approve, edit, or reject — all within the chat interface
  • Audit log of every approved/rejected action persisted in SQLite
  • Set GENESIS_APPROVAL_MODE=false for fully autonomous mode (power users)

Approval flow

1
💬
User says: "Delete all .log files from /var/logs"
2
🧠
AI plans tool call: run_shell("find /var/logs -name '*.log' -delete")
3
🛑
Tool has requiresApproval: true → emits approval_required on bus
4
🪟
UI displays confirmation card with exact command, estimated files affected (23)
5
User clicks Approve → command runs. Or Cancel → nothing happens.
6
💾
Decision logged to SQLite: who, what, when, approved/rejected
Threat Model

What Genesis protects
against

Honest about what's in scope — and what isn't.

✓ Mitigated

Prompt injection via file content

When reading files before the LLM, content is clearly demarcated as data — not instructions. The system prompt includes explicit instructions against treating file content as commands.

✓ Mitigated

Runaway shell commands

Shell execution is gated behind the approval system. The AI cannot run destructive commands without user confirmation. Approval mode is enabled by default and requires explicit opt-out.

✓ Mitigated

Data exfiltration via web requests

The AI Browser makes HTTP requests through a daemon proxy. The proxy does not include any session state, memory content, or identifying information in proxied requests.

✓ Mitigated

Unauthorised local access

JWT authentication middleware protects the daemon API. The lock screen in the UI prevents casual access on shared machines. Combine with OS-level auth for full protection.

⚠️ User responsibility

Physical machine access

Genesis doesn't encrypt data at rest itself — use your OS's full-disk encryption (LUKS/FileVault/BitLocker). A physically compromised machine is outside Genesis's security boundary.

⚠️ Out of scope

Malicious Ollama models

Genesis trusts the model weights you've configured. Only pull models from the official Ollama library or sources you trust. Malicious model weights are outside Genesis's threat model.

📖

Don't trust us. Read the code.

Genesis OS is MIT licensed. Every line of code — from the daemon's LLM client to the memory sidecar — is publicly auditable. If you want to verify that we're not logging your data, stealing your keys, or phoning home: the answer is in the source. No audit required, no NDAs, no "trust the privacy policy."

Read the Source on GitHub → Inspect LLM Client
FAQ

Security questions,
answered honestly

No. All LLM inference runs through Ollama on your local machine. There are no OpenAI, Anthropic, or Google API keys in the codebase. Cloud AI providers are explicitly listed under "What NOT to do" in the architecture spec. If you don't believe us, search the source for any fetch('https://api.openai.com') calls — you won't find any.
No. The read_file and write_file tools join all paths to GENESIS_PROJECT_ROOT using path.join(). Path traversal attempts (e.g. ../../etc/passwd) are caught and blocked. The workspace root is the security boundary for file operations.
Voice audio is captured via the Web Audio API, streamed to the local voice sidecar (port 7702), transcribed with faster-whisper, and immediately discarded. The audio bytes never touch a remote server. Only the text transcription is passed to the daemon.
Your memories are stored in GENESIS_DATA_DIR/chroma (ChromaDB) and GENESIS_DATA_DIR/genesis.db (SQLite). These are standard files on your filesystem. You can copy, back up, export, or delete them at any time. Genesis has no lock-in on your own data.
Yes — assuming your corporate policy allows local AI tools. Because Genesis runs entirely offline and never calls external APIs, it doesn't carry the data governance risks of cloud AI tools. For extra assurance, enable GENESIS_APPROVAL_MODE=true and review the approval logs regularly.
When you browse via the AI Browser, pages are fetched through the daemon's /api/browse proxy. This proxy makes standard HTTP requests — no cookies, session tokens, or identity information are added. Your IP address is the only identifier that remote websites can see, which is the same as any direct browser request.

Privacy isn't a feature.
It's the foundation.

Start using an AI that you can fully trust — because you can fully verify it.

Get Started Read the Source →