Security

Last updated: April 11, 2026

Architecture

FlowDeck is a native Swift binary that runs entirely on your Mac. There is no cloud component, no remote build service, and no intermediary between your code and Apple's toolchain.

  • All builds, tests, and simulator operations execute locally via xcodebuild, xcrun simctl, and devicectl
  • Source code, project files, build artifacts, and logs never leave your machine
  • No data pipeline, crash reporter, or analytics SDK is embedded in the binary

Network Activity

FlowDeck makes two types of network requests:

  • License validation โ€” On activation (flowdeck license activate), a request is made to Lemon Squeezy's API to validate your license key and register a machine identifier.
  • Update check โ€” After a command completes, FlowDeck checks for available updates in the background. No user data is sent โ€” it fetches a version file from the update server.

There is no telemetry, no usage tracking, no error reporting, and no phone-home behavior of any kind. No command usage, build output, project data, or source code is ever transmitted.

No Telemetry

FlowDeck ships with zero telemetry. No Sentry, no Datadog, no Mixpanel, no custom analytics. We do not collect:

  • Command usage or frequency
  • Build times or error rates
  • Project names, schemes, or targets
  • File paths or directory structures
  • Crash reports or stack traces
  • Hardware or OS information

Code Signing

The FlowDeck CLI binary is signed and notarized by Apple. The VS Code/Cursor extension is published through the official Visual Studio Marketplace and Open VSX Registry. Both distribution channels verify publisher identity and binary integrity.

Supply Chain

FlowDeck is written in Swift and depends only on Apple system frameworks and Swift Package Manager packages. There are no Node.js dependencies, no npm packages, and no interpreted runtime in the production binary.

AI Agent Integration

When used with AI coding agents (Claude Code, Codex, Cursor), FlowDeck acts as a local tool. The agent invokes FlowDeck commands through the shell. FlowDeck does not communicate with AI providers, does not send code or build output to any remote service, and does not modify the agent's behavior.

All data flowing between the agent and FlowDeck stays on your machine. What the agent does with that data is governed by the agent's own privacy policy, not ours.

License Data

License management is handled by Lemon Squeezy. When you activate a license, the following is sent to their API:

  • Your license key
  • A machine fingerprint (to enforce license activation limits)

No other data is transmitted. See our Privacy Policy for details on what personal information we collect at purchase.

Vulnerability Reporting

If you discover a security vulnerability in FlowDeck, please report it to:

security@flowdeck.studio

We take all reports seriously and will respond within 48 hours. Please do not disclose vulnerabilities publicly until we've had a chance to address them.

Contact

For security questions or concerns:

security@flowdeck.studio