Security

Mesh Intelligent Technologies, Inc. (“Pieces”) is committed to safeguarding user privacy and delivering secure, high-performance AI experiences that operate entirely on-device. Our system architecture, policies, and engineering practices are intentionally designed to ensure that user data remains local by default, is never used to train our models, and is only transferred to the cloud when explicitly initiated by the user.

This document outlines our current security posture, including data handling, model training methodology, and optional cloud interactions.

Local-first architecture

Our platform is built to exceed enterprise security expectations while maintaining a privacy-first, local-first approach that gives users full control over their data.

SOC 2 compliant infrastructure

We maintain SOC 2 compliance, a gold standard for managing customer data with strict controls across security, availability, and confidentiality. This ensures our infrastructure is built to meet the rigorous demands of enterprise environments.

Continuous security auditing

We perform regular security audits to assess, validate, and improve our systems. These audits help us proactively identify potential vulnerabilities, enforce best practices, and maintain the integrity of our infrastructure over time.

Secure authentication via Auth0

Authentication is handled through Auth0, enabling secure and scalable user access. We support advanced security configurations,  including multi-factor authentication (MFA), to ensure that only verified users can access sensitive data and functionality.

Privacy by design

Pieces is engineered for privacy at the core, with an architecture that ensures all user data remains local by default:

• Local data processing: All user content,  including code, snippets, memory, and interaction history, is processed and stored on the user's device. Nothing is sent to the cloud unless explicitly initiated by the user.

• On-device intelligence: Our proprietary nanomodels handle memory formation, summarization, and retrieval entirely on-device, without relying on external servers or persistent cloud services.
  
  

• Offline-first experience: Pieces functions fully offline with no background data sync, no passive telemetry, and no unexpected network activity. This ensures a secure and distraction-free experience, even in air-gapped or constrained environments.

This local-first model not only enhances performance but ensures that user data remains private, secure, and under the user’s full control at all times.

Cloud access and data transfer

When users opt into optional cloud-based features (such as LLM querying or backup/restore workflows), only the minimum required and contextually relevant data is sent.

Data transferred to cloud-based models (e.g., OpenAI, Claude) is pre-filtered and scoped to the user's immediate prompt, without transmitting unrelated memory or history. Pieces does not send full memory logs or raw content archives to any third-party service.

Cloud-based backup and restoration, when explicitly initiated, involves zipping and encrypting the user’s local database and transmitting it for temporary storage. There is no persistent cloud synchronization or continuous upload.

Data ownership and model training

User data is never used to train any model at Pieces. Instead, our nanomodels are trained exclusively on synthetic datasets generated using non-user-derived “Oracle models.”

This ensures that Pieces can improve performance without inspecting, storing, or training on real user inputs or behaviors.

The choice to exclude user data from all training activities is foundational to our system design and applies to all product components, including Long-Term Memory, Copilot interactions, context injection, and metadata generation.