Get Nexus free โ†’
SECURITY

Your data never
leaves your machine.

Nexus Prime is local-first by architecture, not by policy. There is no server to breach, no cloud database to leak, and no API key to rotate. Your memory lives on your hardware.

๐Ÿ”’

Local SQLite. No cloud.

Agent memory is stored in ~/.nexus-prime/memory.db โ€” a plain SQLite file on your machine. Nexus Prime never contacts any external database. Your architectural decisions, code patterns, and project context stay yours.

โœ“ Zero outbound data for core features โœ“ Inspect the DB with any SQLite client โœ“ Back up with cp
๐Ÿ”‘

Ed25519 license signing

Every license key is a signed Ed25519 JWT. Verification is fully offline โ€” the CLI validates the signature against the embedded public key. No license server, no phone-home, no internet required at runtime.

โœ“ Offline-first key verification โœ“ No license server dependency โœ“ Tamper-evident signatures
๐Ÿ›ก๏ธ

Zero telemetry by default

Nexus Prime collects zero telemetry without explicit opt-in. No usage analytics, no error reporting, no session data leaves your machine unless you choose to enable it. Enterprise customers can fully disable all outbound network activity.

โœ“ Default: no telemetry โœ“ Opt-in only for analytics โœ“ Enterprise: full air-gap mode
๐Ÿ”

No shared secrets

Nexus Prime never asks for your Claude API key, Cursor token, or any AI provider credentials. It sits between your editor and the agent process โ€” no credentials pass through Nexus. Your keys stay in your environment.

โœ“ Zero credential intermediation โœ“ MCP transport only โ€” no key storage โœ“ Agent credentials stay in your shell
๐Ÿ“

Scoped file access

The Nexus MCP server only accesses files within your active project directory. It respects .gitignore, .nexusignore, and any path exclusions you configure. It never reads outside your project root.

โœ“ Project-scoped reads only โœ“ .nexusignore support โœ“ No home directory access
๐Ÿ“‹

Full audit trail

Every Nexus action is written to a local audit log: memory reads, memory writes, worktree creates, session handoffs. The log is append-only, human-readable JSON, and never leaves your machine.

โœ“ Append-only local JSON log โœ“ Timestamped + agent-attributed โœ“ Export via nexus-prime audit export
COMPLIANCE ROADMAP

SOC 2 Type II in progress.

Nexus Prime's local-first architecture means most SOC 2 controls are already satisfied by design โ€” there is no cloud infrastructure to audit. We are currently scoping a Type II report for enterprise customers who require formal certification.

Expected audit window: Q3 2026. If your procurement team needs a formal timeline or a security questionnaire, contact us and we'll provide documentation directly.

View SLA โ†’ security@nexus-prime.cfd
Current posture
โœ“ Data encryption at rest (AES-256 SQLite)
โœ“ No cloud data storage for core features
โœ“ Ed25519 license key signing
โœ“ Zero telemetry by default
โœ“ Local-only audit log
โœ“ Project-scoped file access
โœ“ Dependency vulnerability scanning (CI)
โ—‹ SOC 2 Type II report
โ—‹ Pen test (external, annual)
โ—‹ DAST in CI pipeline

Responsible disclosure

Found a security issue? Email security@nexus-prime.cfd with a detailed description. We respond within 48 hours, triage within 7 days, and credit researchers in release notes unless they prefer anonymity.

We do not pursue legal action against good-faith security researchers. We ask that you give us 90 days before public disclosure.

PGP key fingerprint Coming soon โ€” email us directly for now