Security at Invoked

• SOC 2 Type II — in progress. We are actively undergoing a SOC 2 examination of our security controls. If your procurement process needs our current status, the auditor, or our controls documentation, email security@invoked.ai.
• Data residency & privacy. Because Invoked is local-first, the most sensitive data (keys, configs, run history) never leaves your machine — which materially narrows the scope of data we process on your behalf.
• Payments. Billing is handled by Stripe (PCI DSS Level 1); we never store card data.
• Security questionnaires & DPAs. We’re happy to complete vendor security questionnaires and sign a DPA for enterprise evaluations — reach out and we’ll turn it around quickly.

• API keys and personal access tokens are stored in your OS keychain via Electron safeStorage — never in plaintext, never sent to our servers.
• Tool configurations and run history live in a local SQLite database on your machine.
• Only anonymized, aggregate usage analytics (no prompts, no credentials, no PII) are sent to our analytics pipeline.
• Team-shared skill definitions sync through our API so teammates can use them — but they carry no credentials; secrets always stay local.

• The renderer runs with context isolation, no Node integration, an OS sandbox, and a strict Content-Security-Policy.
• Releases are built in CI and published from a verified pipeline, with a Software Bill of Materials (SBOM) published alongside each release.
• Code signing and notarization (macOS Developer ID + Apple notarization; Windows Authenticode) are being rolled out — contact us if you need details for your current evaluation.

Found a security issue? Email security@invoked.ai. Please give us a reasonable window to remediate before public disclosure. Our machine-readable contact is at /.well-known/security.txt.

If you run an EDR agent (e.g. CrowdStrike) or network controls, here is exactly what Invoked does at runtime, so you can pre-approve / allowlist it. Everything below is expected, documented behavior.

Outbound network connections

Invoked connects only to the hosts it needs. The desktop app enforces this with a Content-Security-Policy; this is the full list:

• invoked.ai — our API (auth, team library sync)
• clerk.invoked.ai — authentication (Clerk)
• api.stripe.com, js.stripe.com — billing (Stripe)
• *.tinybird.co — anonymized usage analytics
• *.knock.app — in-app notifications
• LLM providers you configure — e.g. api.anthropic.com, api.openai.com, api-inference.huggingface.co, api.groq.com, or a local model at localhost (Ollama)
• Any LLM provider, MCP server, or REST API you explicitly configure — Invoked is a bring-your-own-endpoint tool, so the agent connects to the services you point it at (and only those).

Because users configure their own model providers and tool endpoints, the app permits outbound connections broadly by design; it does not execute untrusted remote scripts (a strict script-src is enforced).

Local process behavior

• Invoked spawns local child processes to run MCP (Model Context Protocol) tool servers over stdio — a normal part of how the agent uses tools. It locates a real Node.js binary on your system for this.
• It reads/writes the OS keychain (via safeStorage) to protect your API keys.
• It writes a local SQLite database and config files in the standard per-user application-data directory.
• It does not install drivers, modify system files, or require elevated privileges.

Need a signed letter, SBOM, or a deeper review for procurement? Email security@invoked.ai.