Skip to main content

Security & data handling

The page for the technical evaluator and the InfoSec reviewer. What runs locally, what leaves your machine, how permissions and the audit trail work, and which controls are Enterprise-only — stated plainly, with no overclaiming.

What stays local, and what is sent to the model

The most important thing an evaluator needs is an honest data-flow diagram in words. Here it is, without softening.

Stays on your machine

  • • Your files, documents, and folders
  • • App data, settings, and local configuration
  • • The audit log of everything the agent did
  • • Files the agent creates, edits, or deletes

Sent to the model provider

  • • The current instruction and recent conversation
  • • The specific slice of a file or screen a step needs
  • • Enough context for the model to plan the next action
  • • Routed through Lapu infrastructure to reach the provider

Two honest caveats. First, this is not an air-gapped system. A frontier model does the reasoning, so each planning step involves a network round-trip to the model provider, and those requests route through Lapu infrastructure. Anyone claiming a fully offline agent that still reasons with a frontier model is describing something Lapu AI is not. Second, what is sent is the minimal context a step requires — the relevant part of a file, a snippet of on-screen text, the current instruction — not your whole filesystem and not files you never referenced. For the broader design philosophy, see AI agents and least privilege.

Local-first execution

Lapu AI is a native desktop application, not a browser tab pointed at a remote VM. It reads and writes files on your disk, drives your installed applications, and operates inside your environment. There is no Lapu cloud storage of your files or app data — the work happens on the machine you already trust.

For teams that cannot send reasoning context to a shared provider at all, custom and on-prem deployment options are available on the Enterprise plan, where the deployment topology and the model routing can be scoped to your requirements. That is an Enterprise arrangement, not the default on Free or individual paid tiers.

Permission model: per-action approval

Lapu AI does not run with a blanket grant. It approves low-risk work inside your chosen workspace and stops for an explicit human confirmation on anything consequential. High-risk actions always require confirmation — there is no setting that silences them.

How Lapu AI treats each action type and whether it requires explicit approval
ActionExamplesApproval
Read inside workspaceList files, read a document, take a screenshotAuto-approved; logged
Write inside workspaceCreate, rename, or edit a file in the workspaceAuto-approved; logged
Delete / write outside workspaceDelete files, write to system folders or the registryExplicit human confirmation
Run a shell commandExecute a command; pipes, redirects, and sudo flaggedExplicit human confirmation
Drive another app or browserFill forms, submit pages, control desktop appsConfirmation with preview

Approvals are scoped to the action in front of you. Approving one deletion is not a license to delete a different file later. For the full reasoning behind this design, see our deep dive on desktop AI permission models, and the deeper treatment of scoping tools narrowly in AI agent security.

Audit trail: what, when, and why — for up to 90 days

Every action the agent takes is written to a local audit log. Each entry records what happened (the action and its exact arguments), when it happened (timestamp), and why (the instruction that triggered it), plus the outcome — succeeded, rejected, or errored. You can replay a session and reconstruct exactly what the agent did.

Logs are stored on your machine and retained by default for up to 90 days. On individual plans they are not uploaded to Lapu servers. Configurable and longer retention, including export to a customer-managed sink for compliance, is available on the Enterprise plan. For the anatomy of an agent audit log, see the AI agent audit trail explained.

Process isolation

Lapu AI separates the user-interface layer, the agent reasoning loop, and the tool executors into isolated processes. The agent cannot bypass its own permission checks to call a tool you have not approved. Shell commands run in a subprocess the agent cannot replace at runtime, and file operations resolve symlinks before checking workspace boundaries so a symlink cannot be used to escape the workspace.

To be precise about the limit: this is application-layer isolation, not a kernel-level sandbox. The operating system provides the backstop beneath it — macOS System Integrity Protection blocks writes to protected system locations, and Windows User Account Control blocks privilege elevation. Those OS controls are what contain damage if the application layer is ever bypassed.

Enterprise options

Some controls a security review asks for are scoped to the Enterprise plan, not shipped on every tier. Being clear about that line matters more than a longer feature list. Available on the Enterprise plan:

  • SSO / SAML. The agent inherits the identity boundary the rest of the workstation already enforces.
  • Dedicated SLA. Support and response commitments suited to a production deployment.
  • Custom / on-prem deployment. Deployment topology and model routing scoped to your environment.
  • Configurable audit retention. Retention beyond 90 days and export to a customer-managed sink for compliance evidence.

See pricing for the full plan breakdown, or write to security@lapu.ai to start a security review.

Compliance posture — stated honestly

We do not publish trust badges we have not earned. Lapu AI does not currently hold a SOC 2 certification, and nothing on this page should be read as claiming one. What Lapu AI offers today is the concrete, verifiable machinery a reviewer can inspect: local-first execution, per-action approvals, a replayable audit trail, and process isolation.

If your organisation has a specific compliance requirement, the right next step is a direct conversation about current status and Enterprise options rather than a checkbox on a marketing page. Contact security@lapu.ai.

Frequently asked questions

Does Lapu AI upload my files to the cloud?
No. Lapu AI runs on your macOS or Windows machine and reads and writes files locally. There is no Lapu cloud storage of your files or app data. The only data that leaves your machine is the minimal reasoning context a given step needs, which is sent to the model provider so the agent can decide what to do next. Model requests route through Lapu infrastructure to reach the provider.
What data actually leaves my machine?
Only the context a step requires — the relevant slice of a file, a snippet of on-screen text, the current instruction, and recent conversation — is sent to the model to plan the next action. Whole folders, entire files you did not reference, and your broader filesystem are not uploaded. This is not an air-gapped system: reasoning requires a round-trip to the model provider, and those requests route through Lapu infrastructure. We are precise about this rather than claiming the agent runs with no network at all.
How does the permission model work?
Lapu AI uses per-action approval. Reads inside your chosen workspace are auto-approved and logged. High-risk actions — deleting files, writing outside the workspace, running shell commands, driving other apps — always require an explicit human confirmation that shows the exact action before it runs. Approvals are not cached across different actions.
How long are audit logs kept, and where?
Every action is written to an audit log stored locally on your machine, retained by default for up to 90 days. Longer or configurable retention, including export to a customer-managed sink, is available on the Enterprise plan. Audit logs are not uploaded to Lapu servers on individual plans.
Is Lapu AI SOC 2 certified?
Lapu AI does not currently hold a SOC 2 certification, and this page does not claim one. If you have a compliance requirement, contact security@lapu.ai to discuss current status and enterprise options rather than relying on a marketing claim.
Does Lapu AI support SSO and custom deployment?
SSO/SAML, a dedicated SLA, and custom or on-prem deployment are available on the Enterprise plan. They are not enabled on the Free or individual paid tiers. Reach out to discuss which options fit your environment.
Can Lapu AI take an action I did not approve?
High-risk actions are gated behind explicit confirmation, so the agent cannot delete files, run shell commands, or act outside the workspace without you approving that specific action. Lapu AI is a desktop application, not a kernel-level sandbox — the operating system's own protections (System Integrity Protection on macOS, User Account Control on Windows) are the backstop beneath the application-layer permission checks.

Evaluate the controls on your own machine

The fastest security review is a hands-on one. Install Lapu AI, point it at a throwaway folder, run a task that writes and deletes, and watch the approval prompts and the audit trail. Then decide whether the trade-offs fit your environment.

Download Lapu AISee pricing

Local-first execution · Per-action permission · 90-day local audit

Lapu AI agent chat with conversation, tool calls, and execution log

Automate the work between you and outcomes

Lapu AI handles the repetitive work between you and outcomes. One desktop agent, zero tab-switching. Available now on macOS and Windows.

  • 1-click uninstall
  • Cancel anytime
  • Files never leave your computer

Free to start. Cancel in 1 click. Files stay on your machine.

Lapu AI agent chat with conversation, tool calls, and execution log