Legal · Last updated July 3, 2026

Security

The strongest security posture is not holding your data in the first place. JustBridge is local-first by design. Here's what that means in practice.

Local-first architecture

Your projects, files, and terminal sessions live on your Mac and never pass through JustBridge servers. The app orchestrates AI agents locally; when an agent needs a model, your machine talks directly to the provider you configured over TLS.

Your API keys

Provider credentials are stored in the macOS Keychain on your device, protected by the operating system. They are never transmitted to us. Removing a provider removes its credential.

Sign-in

Authentication uses OAuth through our sign-in service (Supabase) with providers like Google and GitHub. We never see or store your passwords, and sessions use short-lived tokens.

What our servers do hold

The minimum for the service to work: your account identity (name, email, account ID) and subscription status, plus any feedback you explicitly send. That’s the entire attack surface we ask you to trust us with, and we keep it small on purpose.

Agents and permissions

Agents run with the permissions of your local user account. Powerful actions, like opening pull requests on GitHub, are opt-in and ask before acting. You can see everything an agent does on the canvas as it happens.

Reporting a vulnerability

If you believe you’ve found a security issue in JustBridge, please email info@justbridge.ai with details and steps to reproduce. We commit to acknowledging reports quickly, keeping you informed as we investigate, and crediting researchers who disclose responsibly (if you’d like). Please don’t access data that isn’t yours or degrade the service while researching.