Security by architecture, not policy.

Local execution. Isolated tool runtime. Zero server-side data storage. Here's how it works.

The trust boundary

Prosponsive is structured as a layered model using containers for runtime isolation and separate storage for access separation. Each tier communicates only with the tier directly adjacent to it. Credentials never cross a tier boundary.

The diagram below shows all components running on localhost only. The Electron app (UI and main process API) communicates with the n8n tool runtime and PostgreSQL over TLS. n8n and PostgreSQL run in an isolated private container network — not reachable from the host network or LAN. Each database is accessible only by its own dedicated user; no cross-database access is permitted.

graph LR subgraph machine["Localhost Only"] subgraph electron["Electron Application (host)"] api["Main Process
HTTPS API :3100"] renderer["Renderer (UI)"] api --- renderer end subgraph containerNet["Private Network"] n8n["n8n Container
:5678"] subgraph pgcontainer["PostgreSQL Container :5432"] n8ndb["n8n db
user: n8n
workflows, executions,
credentials"] prospdb["prosponsive db
user: prosponsive
conversations, messages,
tasks"] end end api -- "TLS / SCRAM-SHA-256
via mapped port" --> prospdb renderer -- "TLS" --> n8n n8n -. "SCRAM-SHA-256
container-internal" .-> n8ndb n8n -- "TLS webhooks
via host gateway" --> api end style machine fill:none,stroke:#666,stroke-width:2px style electron fill:none,stroke:#4a9eff,stroke-width:2px style containerNet fill:none,stroke:#f59e0b,stroke-width:2px,stroke-dasharray:8 style pgcontainer fill:none,stroke:#22c55e,stroke-width:2px style n8ndb fill:none,stroke:#22c55e,stroke-width:1px,stroke-dasharray:5 style prospdb fill:none,stroke:#22c55e,stroke-width:1px,stroke-dasharray:5

LLM inference (not shown): The main process makes outbound inference calls to either Ollama running locally on the machine, or to an external LLM provider (Anthropic, OpenAI, etc.) over HTTPS. Only the prompt and context are sent — credentials and data never leave the machine as part of inference calls.

n8n tool calls (not shown): Tools you build in n8n can make any outbound call their workflow is configured to make — reading from or writing to Salesforce, querying a database, calling a REST API, sending a webhook. You design the tool; you decide what it touches. Prosponsive does not restrict or inspect what your tools call, and never initiates any external call on its own.

Security principles

Properties enforced by the architecture, not by configuration or policy.

  • Local-first execution

    Agent runtime, tool execution, and storage all run on the user's machine. Nothing routes through Prosponsive servers. There is no cloud routing layer for your content.

  • Least-privilege access

    Every resource Prosponsive touches — credentials, database connections, files — is granted the minimum access required. Credentials are accessible only to the tool execution runtime. Database users can only access their own database. Files are created with 0600/0700 permissions. The agent runtime and LLM cannot access the credential store under any code path.

  • Tool runtime isolation

    Tools run in n8n as an isolated container with its own storage. The agent sends a request and receives only the result. Credentials and internal container state are never exposed to the agent runtime. Because tools execute inside a container, they have no access to the host OS filesystem or host processes — the container boundary prevents any tool from reading arbitrary files or interacting with the host system directly. Tools can make outbound network calls to external systems and communicate back to the Prosponsive API via defined channels, but nothing beyond those explicitly permitted paths.

  • No server-side data storage

    Conversation history, documents, and workflow state are never sent to or stored by Prosponsive. Your data exists only on your machine. This is enforced by the architecture, not a setting.

  • FIPS encryption in transit and at rest

    All local data is encrypted at rest using AES-256-GCM. All communication between components — including localhost-only traffic — is SSL-enforced. Even though all traffic stays on the machine, TLS is required on every connection: the renderer to n8n, the main process to PostgreSQL, and the n8n container back to the host API.

  • Data retention — built-in, not bolted on

    Prosponsive enforces data retention by design. Soft delete marks data as deleted and excludes it from all views immediately. Hard delete permanently and irreversibly purges your local data — there is no server-side copy to recover from, so a hard delete is truly final. Inactive conversations are automatically archived after a configurable period (default: 60 days) and enter the same hard-delete lifecycle.

  • Provider-agnostic design

    No vendor lock-in on the security model. Swap AI providers without re-architecting. Automatic failover between providers does not change the isolation model or credential boundaries.

  • Supply chain security

    Security is enforced at two layers. Every pull request runs dependency vulnerability scanning, static analysis (SAST), and secret scanning before code can merge. In parallel, the repository is continuously and proactively scanned — newly disclosed vulnerabilities in dependencies, container images, and the runtime stack trigger P1 priorities and often automated remediation processes that close them within the same release cycle, independent of any scheduled update window. Dependencies are locked with cryptographic integrity hashes. Container images are pinned by SHA-256 manifest digest.

What leaves your machine

The short answer: very little, and never anything sensitive.

Data Destination Notes
LLM inference calls Configured AI provider Prompt + context only. Credentials are never included in inference calls.
Version checks Prosponsive update server Current version string only. No usage data, user identifiers, or content of any kind.
Subscription validation & usage volume Prosponsive billing server An anonymous subscriber identifier and usage volume (e.g. number of agent runs). No tool names, prompt content, conversation data, or any user-generated content is included.
Instrumentation & observability data (optional) Prosponsive diagnostics server Opt-in only. If enabled, sends anonymized crash reports and performance diagnostics to help improve the product. Never includes conversation content, tool names, credentials, or any user-generated data. Disabled by default.
Tool calls to external systems Your discretion — whatever your tools are configured to call Prosponsive never initiates external calls on its own. Every outbound call is the result of a tool you configured. You own the tool design; you decide what gets called.

The tool runtime is a black box to the agent runtime — it receives requests and returns results. Credentials never leave the container.

Implementation details

For security engineers doing technical due diligence.

Credential injection model. Credentials are stored inside the n8n container and are never passed to or visible by the agent runtime or the LLM. When the agent calls a tool by name, the request travels to the tool runtime. The container resolves which credential that tool requires and injects it internally. The credential does not appear in the request from the agent, and does not appear in the result returned to the agent. There is no code path where the agent runtime handles a plaintext credential.

Blast radius control. Auto-approval rules define exactly what agents can do without human confirmation — scoped by tool set, action type, or channel. Rules can also incorporate LLM confidence thresholds: a high-confidence threshold auto-approves only when the model's confidence in the tool call exceeds it; a low-confidence threshold auto-denies below a floor and stops the action before it's even proposed; everything in between is surfaced for manual review. Actions outside the approved rules require explicit human confirmation before execution. This limits the blast radius of a misconfigured or misbehaving agent to the scope the operator has explicitly permitted.

Full tool execution audit trail. Every tool use is logged by n8n with full inputs and outputs. Every workflow execution step is captured and traceable for review at any time — what ran, when, what data went in, and what came back. All of this stays local on your machine. This is a native property of n8n, not something Prosponsive adds on top.

No Prosponsive account required. Prosponsive does not require account creation to use the product. No user identity data is sent to Prosponsive servers. Version check requests transmit a version string with no user-identifying information attached.

Built for sensitive work.

Download Prosponsive and see the security model in action. Local execution. Free.

Download free