security

Built to be checked.

Your keys on your device, your approval before anything consequential, and a record anyone can verify.

The short version

JUWEL is built so you don't have to trust us: your signing key is generated on your device, every action she takes is signed and hash-chained, consequential actions pause for your approval, and the verifier that checks it all is open source and not ours.

Keys and signatures

  • Your instance generates an ECDSA P-256 keypair in your browser (WebCrypto). The private key stays with your instance.
  • Every action is canonicalized, hashed (SHA-256), signed, and chained to the previous receipt — removing or editing any record breaks the chain.
  • Receipts verify offline with npx @vextlabs/stoa-verifier — no account, no call to Vext Labs.

Approval gates

Sending, paying, filing, deleting, shipping — anything consequential raises an approval card first. Nothing leaves your machine until you say so, and the approval itself is recorded in the receipt.

Your data

  • OS files, memory, and chat history live with your instance, exportable at any time.
  • We don't sell your data. Billing runs through Stripe; we never see your full card number.

Where we are honest about limits

We are a young lab. Formal certifications (SOC 2 and friends) are on our roadmap, not on our wall — if your procurement needs specifics, ask us directly and we'll tell you exactly where things stand. Found a vulnerability? Mail info@tryvext.com with "SECURITY" in the subject — we read those first.