nemesis labs
waitlist →
Trust center

We're honest about what we see —
and what we don't.

A consumer security tool lives or dies on trust. This page documents the data flow, the threat model, and how to report a vulnerability. Updated as the products evolve.

01 / Telemetry

What leaves your device.

The Blue agent is local-first. Detection verdicts happen entirely on your hardware. The cloud is a management surface, not the protection itself.

  • Heartbeat (all tiers). Device id, account id, agent version, integrity-chain head hash, threat count deltas, OS version. No file paths, no command lines, no user identifiers.
  • Detection telemetry (Pro+, opt-in). Behavioral feature vectors of detected events — process hashes, parent-child lineage, MITRE tag. Toggleable.
  • Diagnostic bundles (on request). nemesisctl support-bundle generates a redacted .zip; user previews and approves before sending.
  • What we never collect. File contents. Full command lines. Browser history. Document contents. Keystrokes. Microphone. Camera. Screen.
02 / Residency

Where the data lives, how long it stays.

Primary infra in AWS us-east-2. EU residency available before EU GA.

  • Heartbeats — 7 days rolling.
  • Detection telemetry — 90 days (Pro / Family / Business), 1 year (MSSP).
  • Account & billing — lifetime of account, 30-day grace post-deletion.
  • Audit log — duration of account; required for SOC 2.
03 / Threat model

The honest version.

What we assume and what we don't.

  • The agent will be reverse-engineered. PT_DENY_ATTACH, hardened runtime, Team-ID-pinned self-check (JRMYSV7NC2). Raises the bar, not the wall.
  • A privileged kernel attacker can still blind a single host. That's why detection spans four vantage points and tamper is the alarm.
  • The cloud can be hijacked. The agent verifies offline signatures on every command + update; a sinkholed cloud cannot push rogue policy.
  • Device JWT is bound to a synthetic auth identity in the System Keychain. Signing out the user does not stop protection.
04 / Disclosure

Reporting a vulnerability.

We respond to security reports within 48 hours. Please email — no embargoed details on social, no public GitHub issues for findings.

  • Email: security@nemesislabs.xyz
  • Scope: agent, cloud console + APIs, all subdomains of nemesislabs.xyz.
  • Out of scope: third-party services (Supabase, Stripe, Vercel, Nym). Report to them directly.
  • No paid bug bounty yet. We'll credit responsible reporters in release notes (if they wish).
05 / Compliance

Roadmap.

  • SOC 2 Type II — observation window starts at GA.
  • GDPR — DPA available on request before EU launch.
  • FedRAMP Moderate — planned for the GovCloud-isolated build (separate from the commercial product).
Got a question this page doesn't answer? hello@nemesislabs.xyz · or join the waitlist.