What is BeProof?
A local-first AI agent evidence plane for macOS. It evaluates Policy Pack rules on the endpoint and produces signed audit artifacts. It is not MDM, EDR, DLP, or SIEM.
Answers on retention, tenant isolation, encryption, support lifecycle, and pilot commercial boundaries. BeProof is pilot-ready — not Enterprise GA.
| Topic | Pilot-ready | Post-GA / on request |
|---|---|---|
| Data upstream | Signed metadata-only summaries | SIEM streaming (M4) |
| Raw endpoint DB upload | Never | Never (architectural) |
| Tenant isolation | Per-tenant scope + API RBAC | Dedicated DB / region TBD |
| Upstream retention | 90 days default | Contract-custom |
| Admin auth | Firebase email/password | SAML/OIDC enterprise IdP |
| Data residency | us-central1 | EU on requirement |
A local-first AI agent evidence plane for macOS. It evaluates Policy Pack rules on the endpoint and produces signed audit artifacts. It is not MDM, EDR, DLP, or SIEM.
No. MDM delivers install and org-policy overlay. EDR provides runtime protection. BeProof closes the AI-agent configuration, access, and evidence gap between them.
Yes — personal mode and managed local mode (MDM overlay without fleet enroll) stay on the endpoint. Managed fleet mode uploads signed, metadata-only summaries for org dashboard and review workflow.
Local SQLite evidence, consent ledger, and signed exports remain on the endpoint until the user or IT removes them. Journal payloads are encrypted at rest (AES-256-GCM, Keychain-bound key); inventory tables are metadata-only but not encrypted in the current release.
Tenant-scoped fleet summaries, device inventory, sanitized review queue items, and policy bundle metadata. Pilot default retention: 90 days, aligned with org-policy overlay retentionDays.
Raw SQLite databases, full audit reports (unless separately exported by user), raw credential locators, secret values, or verbatim home-directory paths.
Every record is scoped by tenantId. API requests require Firebase auth with org membership; cross-tenant access is denied. Device credentials bind to a single tenant at enrollment.
No. End users on Mac endpoints do not receive control plane accounts. Only fleet admins and security analysts use the admin console.
Yes — Acme Corp showcase data for product walkthroughs. Design partners receive a dedicated tenant; demo data must not be used for compliance sign-off.
TLS 1.2+ for all API and admin UI traffic. Optional cloud connector calls use vendor HTTPS APIs.
Journal payloads: AES-256-GCM with Keychain-bound keys. Export signing: Ed25519. Inventory tables are metadata-only but not encrypted in the current release; tamper visibility via hash-chain journal.
Cloud SQL uses Google Cloud platform encryption. Customer-managed keys (CMEK/BYOK) are not offered in pilot — available for enterprise evaluation post-GA if required.
30 days: tenant provisioning, shared Slack/email channel, weekly checkpoint, MDM guidance, bug triage, and day-30 exit scorecard. No 24/7 SLA.
macOS app and CLI: fixes on the latest tagged release only. Managed endpoints receive updates via MDM PKG (in-app Sparkle disabled when org overlay is present).
Production SIEM integration, enterprise SAML/OIDC, custom SLAs, on-site deployment, and Endpoint Security live telemetry.
Google Cloud (Cloud Run, Cloud SQL, Identity Platform), Vercel (admin UI hosting), Firebase (admin auth), GitHub (public release artifacts).
Pre-GA — no SOC 2 Type II or ISO 27001 claim at pilot stage. See the compliance mapping pack and security whitepaper for control-theme mapping and security review detail.
Email 0xy9en@gmail.com — not public GitHub issues. Target acknowledgment: 3 business days. See Trust Center and SECURITY.md.
No.
See the 30-day design partner program for scope, success metrics, and onboarding. Full procurement detail is provided at kickoff.