Two surfaces, two postures, drawn explicitly.

Architecture commitments

• Web-first by default. Whet runs in your browser, signing up for the Free tier in under a minute. Free, Basic and Pro web run on Whet's managed infrastructure with Gemini Flash-Lite (Free, Basic) or Flash (Pro web) as the default LLM. Whet absorbs the LLM cost on the web tiers.
• Single-tenant scope per account. Your sources, sessions and drafts are scoped to your account. We do not aggregate, sell or share customer data across accounts. There is no shared analytics warehouse trained on customer content.
• Pro Desktop add-on for local workloads. The Pro tier ($29/mo) includes a signed Desktop binary (macOS notarised, Windows Authenticode, Linux cosign). With BYOK (your own LLM key) or BYOA (delegate to a local agent CLI like Claude Code, Cursor or Codex), the LLM call goes from your machine to the provider you chose. Whet is not in the request path for those calls.
• No telemetry on the Desktop binary by default. Opt-in error reporting can be enabled in Settings. The web app collects standard application logs (request IDs, error codes, durations) but not the body of items you ingested or the prose of drafts you produced.

Credentials at rest

On the web tiers, any credential we need to call a source on your behalf (for example a Reddit OAuth token) is encrypted at rest in our managed database. Raw tokens are never logged. Stripe holds the payment method; we hold a customer reference, not the card details.

On the Desktop add-on, any credential the binary holds locally (BYOK LLM key, agent CLI token, source OAuth) is encrypted at rest using AES-256-GCM with keys derived from your OS keychain (macOS Keychain, Windows DPAPI, Linux libsecret). The master keys live on your machine, not on Whet's infrastructure.

Network surface (web tiers)

• The web app is served from Cloudflare Pages over TLS 1.3. The application backend lives on a managed runtime with TLS-only ingress.
• Ingestion jobs run on a worker pool against the source's official API or open protocol. Rate limits and quotas are respected per the source's documentation.
• LLM analyses run on Whet's managed Gemini Flash-Lite or Flash infrastructure for the web tiers. The payload (item content, prompt, completion) is processed in our request path so the analysis can run, then stored against your account. We do not retain it in a shared aggregate.

Network surface (Pro Desktop add-on)

• The binary exposes a local-only HTTP server for the workbench UI and MCP clients, bound to 127.0.0.1. Remote access is not enabled by default.
• The MCP server requires bearer-token authentication. Tokens are generated from the workbench UI, can be scoped to specific tools, and can be revoked at any time.
• Sync between Desktop and the web app uses end-to-end encryption: the binary encrypts payloads with a key derived from your account passphrase before upload. We store and relay ciphertext we cannot decrypt.

Auth and access

• The web app uses email-based signup with a magic-link or password flow. Sessions are issued as short-lived signed tokens.
• The Desktop binary exchanges your web account for a signed token bound to your subscription. The token lives in memory and the OS keychain.
• The Agent API and MCP server are bearer-token authenticated. Tokens are scopable and revocable from the workbench Settings.
• Publishing requires explicit confirmation, whether the request comes from the workbench, the CLI or an MCP tool call. There is no auto-publish path in the background.

Supply chain

• The Desktop binary is built reproducibly from a pinned dependency lockfile. Signed builds are shipped for macOS (notarised), Windows (Authenticode) and Linux (cosign).
• Web app builds are deployed from a Git-tagged release pipeline with automated dependency-vulnerability scanning before promotion.
• Auto-updates on Desktop are opt-in. The updater verifies the signature on every new build before applying it. You can disable auto-update and pin a specific version.

Logs and observability

The web app and Desktop binary both write single-line JSON logs with an X-Request-ID header that propagates through every layer. You can trace one operation end-to-end with a single filter.

Logs include enough to debug (request IDs, error codes, durations) and exclude content that would be sensitive (no prompt bodies, no ingested post content, no draft text in standard log lines).

Updates and disclosure

We ship security-relevant fixes within seven days of confirmed report. Material upgrades are announced in the in-app changelog and via the optional email list. Pro subscribers receive disclosure of security-relevant updates seven days before public disclosure when feasible.

If you find a security issue in Whet, please email security@whet.so with details. We will acknowledge within 72 hours, work with you on a fix, and disclose responsibly.

What this page is not

This page describes design commitments and operational practice. It is not a SOC 2 report or an ISO 27001 certification. If your organisation requires those, talk to us on the discovery call and we will be honest about whether Whet is the right fit for your compliance regime.

Questions? Email hello@whet.so.