Skip to content
Overshow
Enterprise enquiryStart free

Trust

The artefacts a security reviewer usually asks for

The artefacts security reviewers ask for: data flow, encryption, sub-processors, deployment, retention, admin controls, operational health, and legal.

Data flowEncryptionSub-processorsCapture controls

What you can verify without a meeting

On-device
Processing

Capture, OCR, transcription, embeddings, and chat all run locally.

SQLCipher
Encryption at rest

Whole local database. Keychain-derived key.

0
Captured bytes to the cloud

Only account, billing, and device metadata leave the device by default.

Concrete artefacts

What reviewers usually ask for, and where it is

Data flow

OCR text, audio transcripts, and metadata stay in a local SQLite database. No screen images or video files are persisted. Account, billing, and device metadata sit in a separate PostgreSQL schema.

Encryption

SQLCipher whole-database encryption at rest. The database key is derived from a high-entropy secret in the platform keychain.

Sub-processors

Neon (PostgreSQL) for account and billing data, Stripe for payments, Vercel for hosting plus cookieless Web Analytics and Speed Insights. That is the list.

Capture controls

Window, monitor, and app exclusions. Pause / resume. Built-in HR and password-manager exclusion categories.

Identity

Magic-link, Google OIDC, Microsoft Entra ID with PKCE. Single active device per user. Automatic revocation on new sign-in.

Operational health

Code-signed and notarised builds. Desktop app runs continuous health checks on capture and the local database. Health status is visible to the user on the laptop.

Running a formal review?

Share your checklist and the stakeholders involved. We will map answers to each line and schedule a walkthrough.

Enterprise enquiryEmail security review

More reading

Related pages

Deeper reading

Pillar guides

Trust documentation

Where to find the answers security, privacy, and commercial teams ask for

Trust Centre

This page points at the artefacts security, privacy, and procurement reviewers normally ask for. If something here is missing or out of date, email hi@over.show or tell us on the contact page.

Deployment model

Overshow runs as a desktop application on each user's laptop. v1.0 is macOS 26 (Tahoe) on Apple Silicon. The app is code-signed and notarised.

  • User data plane. Capture, OCR, transcription, search, and chat all run locally against a per-user SQLite database on the laptop. Nothing in that database leaves the device by default.
  • Control plane. A small PostgreSQL schema on Neon holds account, billing, and device metadata only. It never stores captured content.
  • Self-hosted option. Enterprise customers can pin specific model weights, disable the cloud model fallback, and point the optional MCP bridge at their own infrastructure.
  • Offline. The desktop app works offline for capture, search, and chat against local models. Sign-in, billing, and device rotation need a connection to the control plane.

Security and architecture

Review topics usually covered:

  • Data boundary (captures on device, account in PostgreSQL)
  • Encryption at rest (SQLCipher whole-database encryption, keychain-derived key)
  • Capture scope controls (window, monitor, app, pause, exclusion categories)
  • Operational health (code-signed, notarised, local health checks, no telemetry)

Privacy and policy

Review topics usually covered:

  • Personal data categories and lawful basis
  • Cookie usage (marketing site: none; web app: strictly necessary only)
  • Cookieless analytics (Vercel Web Analytics and Speed Insights)
  • Data retention and user rights

Data retention

Retention is set so nothing lingers longer than it needs to.

  • Captured content (on device). Free plan: 7-day rolling window before older capture rows are purged locally. Pro: retained until the user deletes it or uninstalls. Users can wipe the local database at any time from the desktop app.
  • Account and billing data (Neon). Retained while the account is active and for 12 months after deletion to honour statutory tax and accounting obligations. Then irrecoverably deleted.
  • Auth events and security logs. 90 days, after which they are aggregated into non-identifying counters.
  • Stripe payment records. Held by Stripe per their retention terms; we keep only the minimum metadata required to reconcile invoices.
  • Backups. Point-in-time recovery on Neon for 7 days; no other backups hold user content.

Deletion requests to hi@over.show are actioned within 30 days, and the response confirms exactly what was removed and what statutory records remained.

Admin controls (Enterprise)

Admins get a read-only dashboard against the control plane plus the following levers:

  • SSO and provisioning. Google OIDC, Microsoft Entra ID, and SCIM 2.0 for user lifecycle.
  • Device policy. Enforce a single active device per user, require OS version minimums, and auto-revoke on new sign-in.
  • Capture policy. Push organisation-wide app, window, and URL exclusions. Default exclusion categories for HR, finance, and password-manager apps.
  • AI policy. Disable cloud model fallback, pin local model versions, and require explicit approval before any export.
  • Audit. Export account and admin-action logs as JSON or CSV. No captured content ever appears in audit exports.
  • Offboarding. One-click wipe the user's local database via a device command the next time the device is online.

Sub-processors

The full list of sub-processors that touch any production data:

  • Neon - managed PostgreSQL for account, billing, and device metadata. EU region by default.
  • Stripe - payment processing.
  • Vercel - hosting for the marketing site and web app, plus cookieless Web Analytics and Speed Insights. No cookies are set and no cross-site identifiers are used.

Captured content (screens, audio, transcripts) stays on the laptop by default and no sub-processor touches it. It only leaves the device if you explicitly export it or opt in to a cloud integration, such as running the MCP server with --cloud.

Analytics and cookies

  • Marketing site (over.show): no cookies. Vercel Web Analytics and Speed Insights run in cookieless mode and do not use cross-site identifiers. We collect aggregated page views, Web Vitals, and a small number of named conversion events (CTA clicks, pricing toggle, FAQ open/close, form start and submit outcomes). Form field values are never included in events.
  • Web app (app.over.show): strictly necessary cookies only (session and anti-CSRF tokens). No advertising cookies, no cross-site tracking, no third-party analytics cookies.
  • Desktop app: no telemetry. No analytics beacons are sent from the desktop app itself.
  • Lawful basis: legitimate interests for cookieless analytics; strictly necessary for sign-in cookies. No consent banner is required because no non-essential information is stored on or retrieved from the device.

For the full disclosure, including each custom event and what it contains, see the privacy notice.

Commercial and legal

Review topics usually covered:

  • Evaluation scope and success criteria
  • Support responsibilities
  • Contractual terms

Running a formal review

If you are coordinating a formal security or procurement review, email hi@over.show with:

  • Your checklist or questionnaire.
  • The stakeholders involved (security, IT, legal, commercial).
  • Any blockers you need answered first.

We will map answers to each question and agree a walkthrough. First response within two working days.