Security
Last updated: 2026-07-15
Project content is processed locally and is not uploaded to an AnnotateIt backend.
Current Security Architecture
- The current product has no cloud account, project-sync or dataset-storage backend.
- Web projects are stored in browser-managed local storage; native projects are stored in the application sandbox.
- AI-assisted annotation runs locally. The web app downloads executable WASM and ONNX model files from the dedicated
models.annotateit.aidomain. - Production web responses use HTTPS and browser security headers. Static model files are versioned and served with long-lived cache controls.
- Telemetry is disabled in the current production configuration.
Your Responsibilities
Local-first storage reduces server-side exposure, but it does not encrypt an unlocked device by itself. Use operating-system disk encryption, device access controls, a supported browser, and appropriate backups. Clearing browser site data or uninstalling the app can remove locally stored projects.
Report a Vulnerability
Email [email protected]. Include the affected platform and version, impact, reproduction steps and a minimal proof of concept.
Do not attach private datasets, personal data or production secrets. Use synthetic sample files. If sensitive transfer becomes necessary, ask for an approved secure channel first.
We target acknowledgement within three business days. Please allow reasonable time to investigate and remediate before public disclosure.
Scope
www.annotateit.aiand the production web application.models.annotateit.ai.- Current AnnotateIt desktop and mobile builds.
Out of Scope
- Social engineering, denial-of-service testing and automated high-volume scanning.
- Issues in unsupported browsers or operating systems.
- Vulnerabilities in third-party services that do not affect AnnotateIt.