DaySpire Technical
Security Specifications
An in-depth review of the local storage cryptographic blocks, Rust control boundaries, and system interfaces driving DaySpire's time intelligence software.
1. Local Database & On-Device Encryption
DaySpire stores active app captures, focus metrics, and text transcripts in a unified SQLite ledger protected by 256-bit AES encryption. The database is keyed via an on-device credential managed securely by the macOS Keychain.
2. In-Process Core Boundary
Unlike traditional desktop frameworks that spin up local HTTP model servers or loopback TCP sockets (which expose your machine to cross-origin extraction risks), DaySpire compiles its entire processing core directly into the native macOS app.
This keeps calls to local engines, speech-to-text systems, and database search indices inside the native app/runtime boundary instead of routing work content through configurable local model hosts.
To be precise about terms: DaySpire does not run inside the macOS App Sandbox — automatic capture needs to observe app and window activity, which the App Sandbox prohibits. Shipped builds are Hardened Runtime signed and notarized by Apple, and every sensitive capability (Accessibility, Microphone, Screen Recording, Calendar, folders) is individually gated by a macOS permission prompt you can revoke at any time.
3. Cryptographic Deduplication & Audit Logs
Documents and screenshots imported manually as project evidence are hashed before ingestion. Exports are tied to approved database records and evidence references rather than raw capture observations.
Every timecard edit or approval is logged to an immutable ledger append stream, giving reviewers a traceable billing record.
4. Threat Model & Security Scope
We believe in clear transparency about what DaySpire protects against and what it does not:
Protected Against
- Corporate data leaks
- Cloud backend infrastructure data breaches
- Network intercept/MITM of private files
- Aggressive marketing telemetry tracking
Out of Scope
- Physical theft of an un-encrypted Mac
- Admin-level malware running locally
- Insecure manual file exports