Security

Last Updated: 16/07/2025

Our Security Commitment

At Libril, security isn’t an afterthought—it’s fundamental to our design philosophy. We’ve built Libril as a local-first desktop application specifically because we believe your creative work should remain under your complete control. This page outlines our security practices and how we protect both your data and our software.

Security by Design

Local-First Architecture

Libril’s most important security feature is what it doesn’t do:

  • Your Content Stays Local: All your articles, projects, and creative work are stored exclusively on your computer. We have no access to your content because it never leaves your device.
  • No Cloud Storage: Unlike SaaS platforms, we don’t store your work on our servers, eliminating an entire category of security risks.
  • You Control Your Data: Full ownership means you decide where your files are stored, how they’re backed up, and who has access to them.

API Key Security

Libril uses your own API keys for AI services (like Anthropic’s Claude), which provides superior security:

  • Direct Relationships: You maintain direct relationships with AI providers, eliminating us as a potential point of compromise.
  • Encrypted Storage: API keys are encrypted on your local machine using industry-standard encryption.
  • No Transmission: Your API keys are never sent to our servers or any third party.
  • Immediate Revocation: You can revoke or rotate your API keys directly with providers at any time.

Software Security Measures

Code Protection

  • Signed Releases: All Libril releases are digitally signed to ensure authenticity and prevent tampering.
  • Checksum Verification: We provide checksums for all downloads so you can verify file integrity.
  • Secure Distribution: Downloads are served exclusively through HTTPS from our verified domains.

Update Security

  • Secure Update Channel: Software updates are delivered through encrypted channels with signature verification.
  • Version Integrity: Each update is cryptographically signed to prevent man-in-the-middle attacks.
  • User Control: Updates are never forced—you decide when and if to update.

Application Security

  • Input Validation: Rigorous validation of all user inputs to prevent injection attacks.
  • Memory Safety: Built with modern development practices to prevent buffer overflows and memory corruption.
  • Dependency Management: Regular audits and updates of third-party libraries to patch known vulnerabilities.

Infrastructure Security

Website Security

  • HTTPS Everywhere: All web traffic is encrypted using TLS 1.3.
  • DDoS Protection: Enterprise-grade protection against distributed denial of service attacks.
  • Regular Security Audits: Periodic third-party security assessments of our web infrastructure.
  • Secure Hosting: Hosted on infrastructure that meets industry security standards.

License Validation

  • Minimal Data Exchange: License validation requires only your license key—no personal data.
  • Encrypted Communications: All license checks use encrypted connections.
  • Privacy-Preserving: Validation doesn’t reveal what you’re working on or how you use Libril.

Data Protection Practices

What We Don’t Collect

This is critical to understand:

  • No Content Access: We cannot see, access, or retrieve your articles, projects, or any creative work.
  • No Usage Tracking: We don’t monitor how you use the software or what you create.
  • No Behavioral Analytics: No tracking of your writing patterns, topics, or productivity.

What We Do Protect

The limited data we handle is protected through:

  • Encryption at Rest: Any data we store (like support tickets) is encrypted.
  • Encryption in Transit: All data transmission uses modern encryption protocols.
  • Access Controls: Strict role-based access controls for our team.
  • Regular Backups: Secure, encrypted backups of our operational data.

Security Incident Response

Our Response Plan

In the unlikely event of a security incident:

  1. Immediate Investigation: Our security team investigates any reported issues within 24 hours.
  2. Containment: Swift action to contain and mitigate any confirmed vulnerabilities.
  3. User Notification: Transparent communication with affected users within 72 hours.
  4. Remediation: Patches and updates released as quickly as possible.
  5. Post-Incident Review: Thorough analysis to prevent similar issues.

Responsible Disclosure

We appreciate the security research community’s efforts. If you discover a vulnerability:

  • Email: support@libril.com
  • PGP Key: [Public key available on request]
  • Response Time: Acknowledgment within 48 hours
  • Recognition: Credit given to researchers (with permission)

Please provide:

  • Detailed description of the vulnerability
  • Steps to reproduce
  • Potential impact assessment
  • Any proof-of-concept code

Your Security Responsibilities

Security is a partnership. To maximize your protection:

Best Practices

  • Keep Libril Updated: Install security updates when available
  • Secure Your Device: Use device encryption and strong passwords
  • Backup Regularly: Maintain secure backups of your Libril projects
  • Protect API Keys: Never share your API keys or commit them to version control
  • Verify Downloads: Always download Libril from our official website

Physical Security

Since your data is stored locally:

  • Device Security: Ensure physical access to your computer is restricted
  • Disk Encryption: Use full-disk encryption (BitLocker, FileVault, LUKS)
  • Screen Locks: Set automatic screen locks when away from your device

Compliance and Standards

Privacy Regulations

Our security practices align with:

  • GDPR: General Data Protection Regulation (EU)
  • UK Data Protection Act 2018
  • Privacy by Design: Incorporated from the ground up

Industry Standards

We follow recognized security frameworks:

  • OWASP: Application security best practices
  • NIST: Cybersecurity framework guidelines
  • ISO 27001: Information security management principles

Third-Party Security

Payment Processing

  • PCI Compliance: Our payment processor (Lemon Squeezy) is PCI-DSS compliant
  • No Payment Data: We never see or store your payment information
  • Secure Checkout: All transactions use bank-grade encryption

AI Service Providers

When you use your own API keys:

  • Direct Security: You benefit from the AI provider’s enterprise security
  • Isolated Risk: Any API security issues don’t affect other Libril users
  • Your Control: You can audit and manage API access directly

Transparency Reports

We believe in transparency about security:

  • Annual Security Review: Published yearly summary of security improvements
  • Incident Disclosure: Any significant incidents disclosed on this page
  • Version History: Security fixes clearly noted in release notes

Security Track Record

  • Incidents to Date: 0 major security incidents
  • Last Security Audit: [Date]
  • Current Security Version: [Version]

Contact Us

Security Inquiries

For security-related questions or concerns:

Email: support@libril.com
PGP Key: Available upon request
Response Time: Within 48 hours for security matters

Report a Vulnerability

Dedicated Email: support@libril.com
Encrypted Communication: PGP encouraged for sensitive reports

General Security Feedback

We welcome suggestions for improving our security:

Email: support@libril.com
Subject: Security Suggestion

Our Security Promise

We promise to:

  • Maintain industry-standard security practices
  • Respond quickly to security concerns
  • Communicate transparently about security matters
  • Respect your data sovereignty
  • Improve our security continuously

Your security is our priority. By choosing Libril’s local-first approach, you’re choosing a fundamentally more secure way to create content—one where you maintain complete control over your creative work.