Trust

Know what stays local and what leaves the device

Matter artifacts and configuration live in your local data directory by default. During a run, disclosure content and intermediate work may be sent to the model and patent-data providers you configure. This page makes those boundaries explicit and documents the controls for shared deployments.

0 uploads to Patendra 127.0.0.1 default bind BYO API keys Source on GitHub
A dim server-rack corridor lit only by green status LEDs

Local-first

Where your data lives

Every run, every draft, every key sits in a single directory on your disk. Back it up, encrypt it, or delete it. It's yours, and you don't need our permission or our uptime.

macOS

Application Support

The desktop app (.dmg) keeps all state in ~/Library/Application Support/Patendra.

Windows

AppData

The Windows installer keeps all state in %APPDATA%\Patendra.

Anywhere

PATENDRA_HOME

Self-hosters can point the data directory at any path: an encrypted volume, a network share, a container mount. See the docs.

Inside that directory: your .env API keys, every run (hypotheses, search logs, examination memos, drafts, PDFs), the cross-run learning data built from your Strong/Moderate/Weak/Rejected assessments, and the local ChromaDB vector store. Nothing in it is uploaded to Patendra. We couldn't read it if we wanted to, because no Patendra server ever receives it.

Network map

Every outbound call, and when it happens

This is the complete list. If a destination isn't in this table, Patendra doesn't talk to it.

DestinationWhen it happensWhat is sent
Anthropic API (Claude)During a run, when Claude is your selected modelYour disclosure text, prompts, and intermediate drafts, under Anthropic's terms and using your key
Google Gemini APIDuring a run, when Gemini is your selected modelYour disclosure text, prompts, and intermediate drafts, under Google's terms and using your key
USPTO Open Data PortalPrior-art search phases, only if a USPTO key is configuredSearch queries derived from your claims and concepts
Espacenet (EPO OPS)Prior-art search phases, only if Espacenet credentials are configuredSearch queries derived from your claims and concepts
Google BigQuery (Google Patents public data)Prior-art search phases, only if BigQuery access is configuredSearch queries derived from your claims and concepts
Embedding model downloadOnce, on first runNothing about your invention. A public sentence-transformer model is fetched for the local vector store
Patendra serversNeverNothing. There is no Patendra cloud, no telemetry endpoint, no account service

Every patent-data source is optional and disabled until you add credentials. With none configured, prior-art retrieval still runs against the local vector store, and heavy features degrade gracefully offline.

Confidentiality

Why local matters before you file

Before you file, confidentiality is the asset itself.

Exposure

Smallest possible surface

An unfiled invention disclosed to the wrong party at the wrong time can complicate or compromise your own filing. A cloud drafting service adds a whole company (its staff, its subprocessors, its breach surface) to the set of people who could see your disclosure. Patendra adds no one.

Control

You choose every counterparty

The only parties that ever see disclosure text are the LLM provider you select per run. You pick Anthropic or Google, you hold the key, and you can read their data-handling terms before the first token leaves your machine.

Privilege

Clean handoff to counsel

Because runs, drafts, and evidence live in local files, your attorney receives a complete package on your terms. That is useful for firms managing privilege and for inventors who haven't engaged counsel yet. Patendra is not legal advice; attorney review is always required.

Self-host hardening

Secure defaults for shared deployment

Run Patendra as a shared service for a team and the FastAPI server defends itself by default, and fails closed when it can't.

Bind policy

Loopback unless you prove intent

The server binds 127.0.0.1 by default and refuses to start on a non-loopback address unless PATENDRA_API_TOKEN is set. It fails closed: no token, no exposure. A PATENDRA_ALLOW_INSECURE=1 override exists solely for deployments behind a trusted authenticating proxy.

Authentication

Every endpoint, every time

When a token is set, every /api endpoint requires it, via X-API-Token, a Bearer header, or an HttpOnly SameSite=Strict session cookie issued by POST /api/auth/session for browser dashboard use. Token comparison is constant-time.

Abuse limits

Bounded inputs, bounded clients

Request bodies are capped (2 MiB by default, configurable), disclosure text has its own domain cap, and per-client rate limiting throttles anyone hammering the API, so a misbehaving script can't exhaust the box.

Surface hardening

Boring in the right ways

Path-traversal-hardened file serving for run artifacts, a strict CORS allow-list limited to localhost origins, and security headers on every response: nosniff, frame SAMEORIGIN, no-referrer.

Deployment recipes (0.0.0.0 with a token, Docker, reverse proxies) are in the documentation.

Key handling

API keys are not returned to the browser

Your Anthropic, Gemini, USPTO, and Espacenet credentials are the crown jewels of your setup, so the API treats them as one-way inputs.

  1. Stored locally, validated strictly

    Keys live in a .env file inside your local data directory, whether you type them into the dashboard Settings panel or edit the file yourself. Values are strictly validated on write, and newline injection is rejected outright.

  2. Never echoed back

    The API reports only set or not set for each key. No endpoint returns a key value, to the dashboard or to anything else, so a compromised browser session can't exfiltrate credentials through the settings screen.

  3. Never logged

    Key values are excluded from server logs and run artifacts, so sharing a run folder or a log file with counsel or a colleague doesn't leak your credentials.

Honest limitations

What this page does not claim

A security page you can trust has to say what isn't covered, too.

Installers are currently unsigned. macOS Gatekeeper and Windows SmartScreen will warn on first launch (right-click and choose Open on macOS; "Run anyway" on Windows). If your organization forbids unsigned binaries, install from source or use the Docker image instead. The docs cover both.

LLM calls share your disclosure text with your chosen provider. When a run uses Claude or Gemini, that text is processed by Anthropic or Google under their API terms and data-handling policies, not ours. Review your provider's policies on retention and training before running sensitive material, and choose the provider whose terms fit your risk posture.

Patent-data queries reveal search terms. Enabled USPTO, Espacenet, or BigQuery searches send queries derived from your claims to those services. Disable any source you're not comfortable querying.

No compliance certifications are claimed. Patendra makes architectural guarantees you can verify in the source code, not audit badges. Where a certification matters to you, evaluate the code and your chosen providers directly.

Responsible disclosure

Found something? Tell us

We would rather hear about a weakness from you than from an incident. If you find a security issue in the server hardening, the key handling, the file serving, anywhere, please report it to us with reproduction details. We take reports seriously and will credit reporters who want credit.

Review the boundary before using sensitive data

The strongest privacy claim is one you can check. Clone the repository, read the server code, and run your first draft entirely on your own machine.

Read the docs