01Security
Krellix is desktop software that runs on the operator's Windows machine. Collected data never touches a Krellix server, and the product does not phone home. This page documents the design decisions that make that true, and what you can verify for yourself.
02Data flow
The short answer is: nowhere but your disk. The longer answer is the table on the right.
| Data type | Where it lives |
|---|---|
| Collected messages and attachments | Operator's local disk, under the export folder they chose |
| SHA-256 / MD5 hashes | Operator's local disk, inside 06_HashManifests/ |
| Chain-of-custody manifest | Operator's local disk, inside 07_TimestampMaterials/ |
| Hash of the manifest (for TSA request) | Sent to a public Time Stamp Authority — DigiCert, Sectigo, or GlobalSign |
| Access token (OAuth, short-lived) | Windows DPAPI-protected token cache, operator's user profile only |
| Refresh token | Same DPAPI-protected cache, cleared on sign-out |
| License file | Operator's user profile, issued by Krellix license server at purchase time |
| Telemetry / usage analytics | Not collected. The app does not phone home. |
03Controls
Credentials
Sign-in is handled by MSAL (Microsoft Authentication Library) running the sign-in in the system browser. Krellix receives an access token and a refresh token; it never sees the password. You can sign out and revoke the refresh token at any time from the Microsoft 365 sign-ins page.
Code signing
The Windows installer and the compiled application are signed with an EV code-signing certificate issued by DigiCert. Windows SmartScreen, Microsoft Defender, and most endpoint security products recognize the signature and don't flag the installer as unknown-publisher.
Network egress
During a collection, Krellix talks to Microsoft Graph (graph.microsoft.com) over TLS 1.2+, and once at the end of the collection to a public Time Stamp Authority. During license activation it talks to the Krellix license server. That's it. You can log every outbound connection and satisfy yourself it matches.
Tenant audit log
Because Krellix uses delegated (not Application) permissions, every Graph call appears in your tenant's audit log with your UPN and the scope set you consented to. If your tenant has Microsoft Purview Audit or a SIEM ingesting Entra logs, the Krellix activity is visible there with no extra integration.
Export integrity
Every file in the export is SHA-256 hashed. The hash manifest itself is hashed, and that hash is signed by a public TSA. Modifying any byte after the fact — in the native .eml, the attachments, or the manifest — breaks the hash chain and invalidates the TSA signature. Detection is a single OpenSSL command.
License server
The license is checked at app startup and once every 24 hours thereafter while the app is running. If the license server is unreachable, the app runs with the cached license until the next successful check. A collection in progress will never be interrupted by a license check — the cryptographic artifacts would still be valid if Krellix the company ceased to exist mid-export.
04Microsoft Graph permissions
Krellix requests delegated scopes only — never Application permissions. The operator signs in as themselves; every Graph call is made on their behalf and logged under their identity in the tenant's audit log.
User.ReadBoth modesRead the operator's own profile to identify them in the chain-of-custody manifest (UPN, display name, object ID).
Mail.ReadBoth modesRead mail from /me/messages in Personal mode, and fall back to the operator's own mailbox for self-collection scenarios in Enterprise mode.
offline_accessBoth modesObtain a refresh token so a long-running collection doesn't require the operator to re-authenticate every hour.
Mail.Read.SharedEnterprise onlyRead a custodian's mailbox, authorized by Add-MailboxPermission granting the operator Full Access. The scope by itself doesn't grant access to any mailbox — the mailbox permission on the custodian side is what actually gates access.
Files.Read.AllEnterprise onlyRead files from custodian OneDrive. Admin-restricted — tenant admin consent required on first sign-in.
Sites.Read.AllEnterprise onlyRead files and pages from SharePoint sites the operator has membership on. Admin-restricted — tenant admin consent required on first sign-in.
05Vulnerability disclosure
Email support@krellix.app with the subject line "Security disclosure." A human responds within one business day. Critical issues — anything that could compromise a customer's collection — are acknowledged within four hours during US business hours.
We commit to working with reporters in good faith, not pursuing legal action against reporters who follow this disclosure process, and crediting reporters publicly if they want credit. No bug bounty yet — Krellix is early — but we'll send a bottle of something nice and a hand-written thank-you note for anything meaningful.
A standard /.well-known/security.txt file is published at the site root with the same contact information.
Next step
Email sales and we'll set up a 30-minute call to walk through the data flow, the signing infrastructure, and any questions your infosec team wants answered in writing.