Security

Last updated: 2026-05-07

Security is the reason we built Ano this way. The principles, in plain language.

Your prompts don't touch our servers

Claude Code runs under your own Anthropic account. Prompts, tool calls, and responses travel directly between your device and Anthropic. We have no ability to read or log them.

Your messages sync through our infrastructure, encrypted

Ano is local-first in the sense that every message is on your disk when you open the app — the client keeps an encrypted SQLite cache so reads are instant and offline works. To deliver messages across devices and teammates we sync through a central Postgres via the Zero engine. Content is encrypted in transit and at rest. End-to-end encryption is on our roadmap but not shipped yet; during the beta we hold the keys so features like server-side search and new-device onboarding work.

Tool calls are permissioned and audited

Every CLI and MCP server that Claude Code can invoke is explicitly installed by you. Every call is logged to a local audit trail. You can revoke a tool at any time.

Install and skills provenance

User-visible onboarding and install prompts point to the official Ano GitHub organization. Public skills install from github.com/ano-chat/ano-skills, including first-run shell prompts, Codex missing-skills prompts, and shell library links.

Infrastructure

Ano is served over HTTPS (HSTS enforced) with a strict Content-Security-Policy, no third-party trackers, and no cross-origin state. Authentication is handled via WorkOS.

Reporting a vulnerability

Found something? Email . We respond to security reports within 24 hours.