Data & Security

How QuickContract keeps your data safe.

QuickContract is designed so that your sensitive data — contracts, meeting transcripts, business information — stays on your machine by default. This page details the specific security measures in place at every layer of the application.

Local-first architecture

QuickContract is a native desktop application, not a web app. All core data is stored in a local SQLite database on your Mac. There is no central server that holds your contracts or meeting data. This means:

• Your data is available offline at all times
• No server breach can expose your contracts
• You have complete control over your data's lifecycle
• Deleting the app and its data from your Mac permanently removes it

Network access is only required for AI features that use cloud providers and for license activation.

API key storage

Your AI provider API keys are stored in your operating system's native credential store — the macOS Keychain, and the equivalent secure store on other platforms. This is a hardware-backed, encrypted credential store managed by the operating system. Your API keys are:

• Encrypted at rest by the macOS Keychain
• Never written to the SQLite database or any plain-text file
• Never transmitted to QuickContract servers
• Only accessible to the QuickContract application process
• Not included in database backups

If you uninstall QuickContract, your API keys remain in the Keychain until you manually remove them or use the Keychain Access app to delete them.

Database encryption

The local SQLite database is stored within the application's data directory on your Mac's file system. While the database file itself is a standard SQLite file, it is protected by macOS's built-in security layers:

• FileVault: If you have FileVault enabled (recommended), your entire disk is encrypted with XTS-AES-128. This means the QuickContract database is encrypted at rest along with all other files on your Mac.
• App Sandbox: QuickContract runs within a macOS app sandbox, restricting file system access to its own data directory. Other applications cannot read QuickContract's database.
• Gatekeeper & notarization: QuickContract is signed and notarized by Apple, verifying its integrity and ensuring it has not been tampered with.

No telemetry

QuickContract does not include any analytics frameworks, usage tracking, or behavioral telemetry. We do not track:

• Which features you use or how often
• What contracts you create or their content
• Which AI models or providers you select
• Your meeting schedules, participants, or transcript content
• Your browsing or navigation patterns within the app

The only network requests QuickContract makes are: AI provider API calls (initiated by you), license validation checks, and optional crash reports.

Offline mode

When you use Ollama as your AI provider, QuickContract operates with zero network dependency for AI features. Audio transcription via Whisper already runs locally. Combined with Ollama for contract generation and analysis, this means:

Even in offline mode, you can still generate contracts, analyze documents, use the Legal Advisor, record and transcribe meetings, and manage your entire contract workflow — all without an internet connection.

Reporting vulnerabilities

If you discover a security vulnerability in QuickContract, please report it responsibly. Contact us at security@quickcontract.app with a description of the issue, steps to reproduce, and any relevant details. We take all reports seriously and will respond within 48 hours.

Please do not disclose vulnerabilities publicly until we have had an opportunity to investigate and release a fix. We appreciate the security research community's efforts in helping keep QuickContract safe.