Security

Security at FileHolster

FileHolster is built offline-first. No network calls, no cloud sync, no telemetry. Your data never leaves your machine, and that is the strongest security posture an application can have.

Effective date: April 11, 2026

1. Our Approach

We believe the most secure application is one that never touches a network. FileHolster was designed from the ground up with a security-by-design philosophy: minimize the attack surface by eliminating unnecessary connectivity entirely.

Where most desktop applications phone home for analytics, sync data to the cloud, or require account authentication, FileHolster does none of these things. The result is a tool with an exceptionally small attack surface and zero exposure to network-based threats.

2. Application Security

FileHolster is built with Tauri v2, a modern framework that pairs a Rust backend with a lightweight web frontend. This architecture provides several security advantages:

Rust backend - Rust's memory safety guarantees eliminate entire classes of vulnerabilities (buffer overflows, use-after-free, null pointer dereferences) at compile time.
Sandboxed rendering - The frontend runs in a sandboxed webview with strict permissions. Only explicitly allowed Tauri commands can bridge into the system layer.
No network access - The application makes zero outbound network requests. There are no HTTP clients, no WebSocket connections, no DNS lookups. Nothing leaves the process.
Single binary - FileHolster ships as a single ~5MB installer with no external runtime dependencies, reducing supply chain risk.
No background services - When you close FileHolster, it stops. There are no persistent background processes, daemons, or scheduled tasks.

3. Data Storage

All data stays on your machine. FileHolster stores your folders, notes, tasks, and configuration locally in your user profile directory. Nothing is transmitted, uploaded, or synced to any server, ever.

You have full control over your data at all times. Your files are stored in standard formats in directories you choose. If you uninstall FileHolster, you can delete the application data folder and every trace of it is gone.

We have no servers that receive, process, or store your data. We cannot access your files, notes, or any content you create in the application because we never see it.

4. Payment Security

Purchases are processed entirely by Stripe, which is certified as a PCI DSS Level 1 service provider - the most stringent level of certification available in the payments industry.

We never see, store, or process your credit card number, CVV, or billing details.
All payment data is transmitted directly from your browser to Stripe's servers over TLS-encrypted connections.
License keys are generated after successful payment and delivered to your email via Resend, a trusted transactional email service.

At no point does payment information pass through our infrastructure.

5. Website Security

The FileHolster website (fileholster.com) is hosted on Firebase Hosting by Google, which provides:

HTTPS everywhere - All connections are encrypted with TLS. HTTP requests are automatically redirected to HTTPS.
Global CDN - Content is served from Google's edge network with built-in DDoS protection.
No cookies or tracking scripts - The website does not set tracking cookies or load third-party analytics.

6. No Telemetry. No Tracking.

FileHolster makes zero network requests. There is no telemetry, no analytics, no crash reporting, no update checks, and no phone-home behavior of any kind. The application is completely silent on the network.

You can verify this yourself using any network monitoring tool (such as Wireshark or Windows Resource Monitor). You will see that FileHolster generates no network traffic whatsoever. This is not a setting you can toggle - it is a fundamental architectural decision. There is simply no networking code in the application.

7. Vulnerability Reporting

If you discover a security vulnerability in FileHolster or on our website, we want to hear about it. Please report it responsibly by emailing:

admin@inceptionforge.com

When reporting, please include:

A description of the vulnerability and its potential impact.
Steps to reproduce the issue.
Your FileHolster version and operating system, if applicable.

We take every report seriously and will respond as quickly as possible. We ask that you allow us a reasonable timeframe to investigate and address the issue before any public disclosure.

8. Third-Party Dependencies

FileHolster is built on well-established open-source foundations:

Tauri v2 - An open-source framework for building secure, lightweight desktop applications. Actively maintained with regular security audits.
Rust ecosystem - Backend dependencies are sourced from crates.io, Rust's package registry, and are regularly updated to incorporate security patches.
React - The frontend UI library, widely used and extensively tested across the industry.

We regularly review and update our dependencies to ensure known vulnerabilities are addressed promptly. Because the application has no network surface, the practical risk from dependency vulnerabilities is significantly reduced compared to networked applications.