🔒 Security & Trust Center

Enterprise-grade security built into every layer of UNITY™
ADA & WCAG 2.1 AA Compliant — accessible to users of all abilities

Zero-Knowledge Encryption

Your passphrase is the sole key — dexit.ai cannot access your data, ever.

  • AES-256-GCM encryption at rest for all sensitive data
  • Argon2id key derivation — memory-hard, resistant to GPU and ASIC attacks
  • BCrypt PIN hashing with adaptive work factor for Guardian controls
  • BIP-39 recovery phrases — 12-word mnemonic for account recovery
  • Windows Hello biometric integration for seamless authentication
  • All encryption and decryption happens client-side before any storage operation

Compliance & Certifications

Meeting the standards that matter most to your organization.

Standard Status Key Features
SOC 2 Ready Full audit trails, cryptographic self-tests, assembly integrity verification
HIPAA Ready PHI scrubbing, Healthcare Mode, BAA registry, encrypted exports
GDPR Compliant Consent tracking, retention policies, Right to Erasure, secure wipe
FedRAMP Ready Air-gap via USB Sovereign Mode, FIPS 140-2 encryption readiness
COPPA Compliant AI Guardian™ age tiers, parental controls, content filtering
CCPA Compliant Data sovereignty, local storage, no data selling
WCAG 2.1 AA Compliant 208+ screen reader labels, keyboard navigation, 4.5:1 contrast, live announcements, focus indicators, 35-language ARIA localization

Your Data, Your Control

Local-first architecture means your data never leaves your device.

  • Local-first architecture — all data stored on your device, never in the cloud
  • USB Sovereign Mode for fully air-gapped operation — no internet required
  • Zero telemetry — UNITY™ never phones home, never collects usage data
  • No data collection by dexit.ai — we cannot see your conversations or files
  • Direct API keys — you pay AI providers directly, dexit.ai is never a middleman
  • Device identity tracking is optional, transparent, and Guardian-controlled

AI Safety for Families

AI Guardian™ protects vulnerable users with enterprise-grade safety controls.

  • 4-tier age protection — Explorer (6-12), Teen (13-17), Adult (18+), Guardian
  • Content filtering with real-time jailbreak detection and prevention
  • Crisis detection — monitors for self-harm, abuse disclosure, and emergencies
  • PIN-protected parental controls with biometric authentication support
  • Profile lifecycle — suspend, archive, and audit with tamper-evident trail
  • Guest session tracking with device identification and optional display names

Complete Audit Trail

Every action is logged, timestamped, and cryptographically sealed.

  • Every action logged with timestamp, actor, device, and reason
  • Tamper-evident hash chain — impossible to modify or delete individual records
  • Security Audit Log viewer for Guardian administrators
  • Guest Session viewer — track temporary user activity
  • Known Devices viewer — manage and review authorized devices
  • Migration audit trail — complete records of database migrations
  • Export audit data to CSV for compliance reporting and external review

Secure Across 26 Database Providers

Zero-knowledge encryption preserved through every migration and transfer.

  • Zero-knowledge encryption preserved during database migration
  • Encrypted content never decrypted during transfer between providers
  • Automatic backup created before every migration operation
  • Zero-risk rollback — restore your previous database instantly
  • All 41 document connectors verified after every migration
  • Connector credentials encrypted in transit and at rest

Verified & Tamper-Proof

Every release is cryptographically signed and independently verifiable.

  • Sectigo EV Code Signing Certificate — extended validation, highest trust
  • Hardware Security Module (HSM) protected — signing key never exposed
  • Every build signed and verifiable — tamper detection built in
  • MSIX packaging for Windows Store and enterprise sideload deployment

🔒 Have security questions? Our security team is ready to help.

Contact Security Team →