Local-first by default
The OS, the Spaces, and the data live on your machine. Cloud is a choice you make per Space, not a default the product makes for you.
Security
Local first. Auditable always.
Construct runs on your machine. Models can run on your machine. Spaces declare what they need; the OS decides what they get. Data, audit, and policy live at the operating layer — not bolted onto a single feature.
Principles
Six things we hold to.
Air-gappable
Run Operator on local models with the same tools and the same SDK. The Space does not know — and does not need to know — that the model never left the perimeter.
Capabilities, declared
A Space's manifest lists what it wants — files, network, tools, automation. Anything not declared, it doesn't get. No silent escalation by prompt.
Per-action approvals
Risky actions can require a click, a typed confirmation, or a second signer. Configurable per Space, per role, per environment.
Routing rules
Pin a model per Space, per task type, or by data sensitivity. Protected data never touches a non-compliant model — the routing layer enforces it.
Audit trail
Every Operator action is logged with who, what, where, and which model. Exportable, queryable, kept. SIEM-friendly format.
Data handling
Plain answers, no hand-waving.
Where does my data live?
On your machine, in the Construct profile directory. Nothing leaves the device unless you sync to your own cloud, install a Space that requests network, or call a cloud model.
Does Construct send telemetry?
Not by default. The desktop app does not phone home. Optional anonymous telemetry can be enabled per device or per org for diagnostic purposes.
What about cloud models?
Cloud models are off-device by definition. Construct ships routing rules so you can pin which models a Space is allowed to call, and which models are allowed to see protected data.
Can I run fully offline?
Yes. Local-only mode disables every cloud surface — model calls, marketplace, sync — and runs Operator on a local model server (Ollama, LM Studio, vLLM, etc.).
Compliance
Where we stand.
Local-first plus air-gap covers most regulated workloads. Cloud surfaces are auditable on their own track.
SOC 2
Type II audit in progress for the cloud surfaces (marketplace, identity). The desktop app is local-first and does not store customer data.
GDPR
You control where data lives. The desktop is local. Cloud surfaces are EU-region capable on Enterprise plans.
HIPAA
Run a Patient Records Space in air-gap mode against a HIPAA-eligible local model. We sign BAAs for cloud surfaces on request.
Custom
Air-gap, on-prem, custom routing rules, and dedicated infrastructure are all available on Enterprise. Talk to us about your constraints.