Your procurement team sent a security questionnaire. We filled it out. You'll notice a pattern: when you don't touch anyone's data, most questions about data handling get the same answer.
Spoiler: the answer is usually “N/A — we don't touch your data.”
Data transmitted externally
Sub-processors
Cloud dependencies
Local encryption standard
Standard security questionnaires are designed for cloud SaaS tools. They ask things like: “Where is customer data stored?” “Who has access to customer data?” “How is data encrypted in transit?” “What sub-processors handle customer data?”
For FrameCounsel, the answers are almost comically simple: your machine, nobody, it isn't transmitted, and none. When you don't touch anyone's data, the entire security questionnaire becomes a formality.
We filled it out anyway. Your procurement team will appreciate how short the meeting is.
Yes. FrameCounsel supports four configurable roles: Admin, Analyst, Reviewer, and Read-Only. Each role has granular permissions for project creation, analysis execution, report generation, and data export. Roles are managed locally by your administrator.
FrameCounsel integrates with macOS system authentication, including Touch ID and Apple Watch authentication. Organizations can enforce MFA at the device level through MDM policies. The application supports biometric unlock for project access.
Sessions are managed locally on-device. Configurable session timeouts (default: 15 minutes of inactivity). Auto-lock requires re-authentication to resume. Session tokens are stored in the macOS Keychain and never transmitted externally.
FrameCounsel supports enterprise SSO through SAML 2.0 integration for license validation. Day-to-day authentication is handled locally via macOS system credentials. No cloud authentication server is contacted during normal operation.
On your machine. That's it. Exclusively on the customer's local device or designated external storage. FrameCounsel stores ZERO customer data on any server, cloud infrastructure, or system outside the customer's physical control.
No. This is architecturally impossible, not just a policy. There is no backdoor, no remote access capability, no telemetry channel, and no mechanism of any kind for FrameCounsel to access your data. We couldn't see your data even if we wanted to.
No. Zero third parties. Zero sub-processors. Zero analytics providers. Zero cloud AI APIs. Zero advertising networks. Zero telemetry services. The application makes zero network requests during normal operation.
All data processed by FrameCounsel is treated as attorney-client privileged by default. The application encrypts all project files with AES-256. Chain of custody tracking with SHA-256 hashing is applied to all evidence files automatically.
Data deletion is performed locally by the customer. The Software provides secure deletion capabilities for project files. FrameCounsel has no data to dispose of, as it never possesses customer data.
AES-256 encryption for all FrameCounsel project files. In addition, customers can leverage macOS FileVault full-disk encryption and the hardware encryption capabilities of recommended external drives.
N/A. FrameCounsel transmits zero customer data. There is no data in transit to encrypt. The only network communication is optional update checks and initial license activation, both of which use TLS 1.3 and contain zero customer data.
Encryption keys are derived from user credentials and stored in the macOS Keychain, protected by the Secure Enclave on Apple Silicon devices. Keys never leave the local device. There is no key escrow or cloud key management.
During normal operation: ZERO. FrameCounsel makes no network connections during video analysis, transcription, face recognition, or any other processing task. The only optional network activity is manual update checks (version number only) and one-time license activation.
Yes. This is what it was designed for. FrameCounsel operates fully air-gapped with zero degradation in functionality. All AI models are bundled locally. The application includes a built-in network activity monitor so you can verify zero network activity yourself.
No. Zero telemetry. Zero analytics. Zero tracking pixels. Zero phone-home mechanisms. Zero crash reporting (unless explicitly opt-in). Verify it yourself with any network monitoring tool.
No. FrameCounsel operates with zero cloud dependencies. There is no server-side component that can experience downtime. All AI models, processing engines, and functionality are bundled locally.
Because FrameCounsel runs entirely on local hardware, availability is determined by the customer's own device uptime. There is no server to go down. If your Mac is powered on, FrameCounsel works.
Data backup is managed by the customer using their existing backup infrastructure (Time Machine, enterprise backup solutions, etc.). FrameCounsel project files are standard encrypted containers compatible with any file-level backup system.
FrameCounsel is distributed as a code-signed, Apple-notarized macOS application. Updates are distributed through secure channels with cryptographic signature verification. Enterprise customers can manage distribution through MDM/JAMF.
License validation occurs once during initial activation via encrypted communication containing only the license key and machine identifier. After activation, the application operates fully offline. Zero customer data is involved.
macOS 14 (Sonoma) or later. Apple Silicon Mac (M1 or later) required for on-device AI processing. Minimum 16GB RAM recommended. No internet connection required for operation after initial activation.
No. Furthermore, a traditional data breach — unauthorized access to customer data — is architecturally impossible from FrameCounsel's side. We don't store, process, or have access to any customer data on our infrastructure. There is nothing to breach.
FrameCounsel maintains a documented incident response plan. Security incidents affecting the application code are triaged within 4 hours, with customer notification within 72 hours. Critical vulnerabilities receive emergency patches within 24 hours.
Customers are notified via email to their registered security contact within 72 hours. Notifications include the nature of the incident, affected versions, potential impact, and remediation steps.
Yes. FrameCounsel maintains a formal risk management program including regular threat modeling, security architecture review, and risk assessments. The on-device architecture eliminates the majority of cloud-related risks by design.
Yes. FrameCounsel maintains cyber liability insurance with coverage appropriate for an enterprise software vendor. Details are available upon request under NDA.
FrameCounsel undergoes annual third-party security assessments and penetration testing. The application is Apple-notarized (scanned for malware by Apple). Full audit reports are available to enterprise customers under NDA. We do not pursue SOC 2 or similar cloud-focused certifications because there is no cloud component to certify.
FrameCounsel employs automated static analysis, dependency scanning, and regular third-party penetration testing. A responsible disclosure program is in place at security@framecounsel.com.
Critical (CVSS 9.0+): Emergency patch within 24 hours. High (CVSS 7.0-8.9): Patch within 7 days. Medium (CVSS 4.0-6.9): Patch within 30 days. Low (CVSS < 4.0): Patch in next scheduled release.
Yes. FrameCounsel uses vetted open-source AI models (MLX, Whisper) and libraries. All dependencies are scanned for known vulnerabilities. A software bill of materials (SBOM) is available for enterprise customers upon request.
Jump to any section of the security assessment.
We can provide the complete security assessment as a downloadable PDF, schedule a live security review call with our engineering team, or walk your procurement team through why most of the questionnaire answers are “N/A.”