Security & data handling
The page for the technical evaluator and the InfoSec reviewer. What runs locally, what leaves your machine, how permissions and the audit trail work, and which controls are Enterprise-only — stated plainly, with no overclaiming.
What stays local, and what is sent to the model
The most important thing an evaluator needs is an honest data-flow diagram in words. Here it is, without softening.
Stays on your machine
- • Your files, documents, and folders
- • App data, settings, and local configuration
- • The audit log of everything the agent did
- • Files the agent creates, edits, or deletes
Sent to the model provider
- • The current instruction and recent conversation
- • The specific slice of a file or screen a step needs
- • Enough context for the model to plan the next action
- • Routed through Lapu infrastructure to reach the provider
Two honest caveats. First, this is not an air-gapped system. A frontier model does the reasoning, so each planning step involves a network round-trip to the model provider, and those requests route through Lapu infrastructure. Anyone claiming a fully offline agent that still reasons with a frontier model is describing something Lapu AI is not. Second, what is sent is the minimal context a step requires — the relevant part of a file, a snippet of on-screen text, the current instruction — not your whole filesystem and not files you never referenced. For the broader design philosophy, see AI agents and least privilege.
Local-first execution
Lapu AI is a native desktop application, not a browser tab pointed at a remote VM. It reads and writes files on your disk, drives your installed applications, and operates inside your environment. There is no Lapu cloud storage of your files or app data — the work happens on the machine you already trust.
For teams that cannot send reasoning context to a shared provider at all, custom and on-prem deployment options are available on the Enterprise plan, where the deployment topology and the model routing can be scoped to your requirements. That is an Enterprise arrangement, not the default on Free or individual paid tiers.
Permission model: per-action approval
Lapu AI does not run with a blanket grant. It approves low-risk work inside your chosen workspace and stops for an explicit human confirmation on anything consequential. High-risk actions always require confirmation — there is no setting that silences them.
| Action | Examples | Approval |
|---|---|---|
| Read inside workspace | List files, read a document, take a screenshot | Auto-approved; logged |
| Write inside workspace | Create, rename, or edit a file in the workspace | Auto-approved; logged |
| Delete / write outside workspace | Delete files, write to system folders or the registry | Explicit human confirmation |
| Run a shell command | Execute a command; pipes, redirects, and sudo flagged | Explicit human confirmation |
| Drive another app or browser | Fill forms, submit pages, control desktop apps | Confirmation with preview |
Approvals are scoped to the action in front of you. Approving one deletion is not a license to delete a different file later. For the full reasoning behind this design, see our deep dive on desktop AI permission models, and the deeper treatment of scoping tools narrowly in AI agent security.
Audit trail: what, when, and why — for up to 90 days
Every action the agent takes is written to a local audit log. Each entry records what happened (the action and its exact arguments), when it happened (timestamp), and why (the instruction that triggered it), plus the outcome — succeeded, rejected, or errored. You can replay a session and reconstruct exactly what the agent did.
Logs are stored on your machine and retained by default for up to 90 days. On individual plans they are not uploaded to Lapu servers. Configurable and longer retention, including export to a customer-managed sink for compliance, is available on the Enterprise plan. For the anatomy of an agent audit log, see the AI agent audit trail explained.
Process isolation
Lapu AI separates the user-interface layer, the agent reasoning loop, and the tool executors into isolated processes. The agent cannot bypass its own permission checks to call a tool you have not approved. Shell commands run in a subprocess the agent cannot replace at runtime, and file operations resolve symlinks before checking workspace boundaries so a symlink cannot be used to escape the workspace.
To be precise about the limit: this is application-layer isolation, not a kernel-level sandbox. The operating system provides the backstop beneath it — macOS System Integrity Protection blocks writes to protected system locations, and Windows User Account Control blocks privilege elevation. Those OS controls are what contain damage if the application layer is ever bypassed.
Enterprise options
Some controls a security review asks for are scoped to the Enterprise plan, not shipped on every tier. Being clear about that line matters more than a longer feature list. Available on the Enterprise plan:
- SSO / SAML. The agent inherits the identity boundary the rest of the workstation already enforces.
- Dedicated SLA. Support and response commitments suited to a production deployment.
- Custom / on-prem deployment. Deployment topology and model routing scoped to your environment.
- Configurable audit retention. Retention beyond 90 days and export to a customer-managed sink for compliance evidence.
See pricing for the full plan breakdown, or write to security@lapu.ai to start a security review.
Compliance posture — stated honestly
We do not publish trust badges we have not earned. Lapu AI does not currently hold a SOC 2 certification, and nothing on this page should be read as claiming one. What Lapu AI offers today is the concrete, verifiable machinery a reviewer can inspect: local-first execution, per-action approvals, a replayable audit trail, and process isolation.
If your organisation has a specific compliance requirement, the right next step is a direct conversation about current status and Enterprise options rather than a checkbox on a marketing page. Contact security@lapu.ai.
Related reading
Frequently asked questions
- Does Lapu AI upload my files to the cloud?
- No. Lapu AI runs on your macOS or Windows machine and reads and writes files locally. There is no Lapu cloud storage of your files or app data. The only data that leaves your machine is the minimal reasoning context a given step needs, which is sent to the model provider so the agent can decide what to do next. Model requests route through Lapu infrastructure to reach the provider.
- What data actually leaves my machine?
- Only the context a step requires — the relevant slice of a file, a snippet of on-screen text, the current instruction, and recent conversation — is sent to the model to plan the next action. Whole folders, entire files you did not reference, and your broader filesystem are not uploaded. This is not an air-gapped system: reasoning requires a round-trip to the model provider, and those requests route through Lapu infrastructure. We are precise about this rather than claiming the agent runs with no network at all.
- How does the permission model work?
- Lapu AI uses per-action approval. Reads inside your chosen workspace are auto-approved and logged. High-risk actions — deleting files, writing outside the workspace, running shell commands, driving other apps — always require an explicit human confirmation that shows the exact action before it runs. Approvals are not cached across different actions.
- How long are audit logs kept, and where?
- Every action is written to an audit log stored locally on your machine, retained by default for up to 90 days. Longer or configurable retention, including export to a customer-managed sink, is available on the Enterprise plan. Audit logs are not uploaded to Lapu servers on individual plans.
- Is Lapu AI SOC 2 certified?
- Lapu AI does not currently hold a SOC 2 certification, and this page does not claim one. If you have a compliance requirement, contact security@lapu.ai to discuss current status and enterprise options rather than relying on a marketing claim.
- Does Lapu AI support SSO and custom deployment?
- SSO/SAML, a dedicated SLA, and custom or on-prem deployment are available on the Enterprise plan. They are not enabled on the Free or individual paid tiers. Reach out to discuss which options fit your environment.
- Can Lapu AI take an action I did not approve?
- High-risk actions are gated behind explicit confirmation, so the agent cannot delete files, run shell commands, or act outside the workspace without you approving that specific action. Lapu AI is a desktop application, not a kernel-level sandbox — the operating system's own protections (System Integrity Protection on macOS, User Account Control on Windows) are the backstop beneath the application-layer permission checks.
Evaluate the controls on your own machine
The fastest security review is a hands-on one. Install Lapu AI, point it at a throwaway folder, run a task that writes and deletes, and watch the approval prompts and the audit trail. Then decide whether the trade-offs fit your environment.
Local-first execution · Per-action permission · 90-day local audit

Automate the work between you and outcomes
Lapu AI handles the repetitive work between you and outcomes. One desktop agent, zero tab-switching. Available now on macOS and Windows.
- 1-click uninstall
- Cancel anytime
- Files never leave your computer
Free to start. Cancel in 1 click. Files stay on your machine.




