Home Security
Trust & security

Security is not a feature.
It's the foundation.

AirMouse was designed from day one with a simple principle: your data is yours. End-to-end encryption, on-device AI, zero-trust architecture, and full transparency — always.

Enterprise security Transparency report
0breach
Security incidents ever
0
Data encrypted E2E
6
Compliance certifications
On-device
AI model execution
Encryption

Every byte encrypted. No exceptions.

AirMouse uses AES-256-GCM for data at rest and TLS 1.3 with forward secrecy for data in transit. Encryption keys are generated on your device and never leave it.

  • AES-256-GCM at restAll stored data — clipboard, workflows, preferences — is encrypted with AES-256-GCM.
  • TLS 1.3 in transitAll network communication uses TLS 1.3 with ECDHE key exchange for perfect forward secrecy.
  • Device-local key derivationKeys are derived from your device's hardware security module — we never see them.
Encryption diagram Your Phone 🔑 Key lives here AirMouse Cloud ☁️ Encrypted blobs only AES-256-GCM · TLS 1.3 No keys here Your data never leaves your device unencrypted Even AirMouse employees cannot read your data
BLE pairing protocol 📱 Phone scans QR code 🔐 ECDH key exchange Encrypted BLE session Security properties of every BLE session • ECDH key exchange · No shared secret on server · Ephemeral session keys • Hardware-backed device identity · QR one-time token · Replay-attack prevention
Bluetooth security

Pairing that's impossible to spoof.

AirMouse uses an ECDH-based pairing protocol with a hardware-backed QR code ceremony. After pairing, all Bluetooth communication uses ephemeral session keys rotated on every connection.

  • QR-based pairing ceremonyOne-time QR code prevents MITM attacks at the pairing stage.
  • Ephemeral session keysNew encryption key for every session. Old sessions cannot be decrypted.
  • Replay-attack preventionMonotonic counters on every packet make replay attacks computationally infeasible.
AI privacy

AI that runs entirely on your device.

Every AI model — voice recognition, gesture detection, screen intelligence, predictive actions — runs on your local hardware. Your voice, screen contents, and commands never touch our servers.

  • On-device inference onlyVoice, gesture, and screen models run on your CPU/GPU/Neural Engine. Zero network calls.
  • Granular consentScreen intelligence and voice features require explicit per-session permission grants.
  • Ephemeral contextScreen context used for AI commands is purged from memory immediately after execution.

On-device, always

All six AI models run locally. Your input never leaves your hardware for inference.

Voice ASR — runs on Neural Engine
Gesture CNN — runs on GPU
Screen OCR — runs on CPU
Context LLM mini — quantised, on-device
Cloud infrastructure

Global, resilient, always available.

For optional cloud sync and workflow storage, AirMouse operates redundant infrastructure across 4 regions — with data residency controls so you choose where your data lives.

US East

AWS us-east-1 · Multi-AZ

● Operational

Europe West

AWS eu-west-1 · GDPR zone

● Operational

Asia Pacific

AWS ap-southeast-1

● Operational

US West

AWS us-west-2 · DR failover

● Operational
Zero Trust

Never trust. Always verify.

AirMouse implements a strict zero-trust model: no implicit trust for any device, user, or network. Every API call is authenticated, every session is ephemeral, every action is logged.

  • Mutual TLS everywhereBoth client and server present certificates. No anonymous connections allowed.
  • Short-lived access tokensAccess tokens expire in 15 minutes. Refresh tokens use rotating one-time secrets.
  • Principle of least privilegeEvery service has access only to the exact data it needs — nothing more.
  • Network micro-segmentationServices communicate through a service mesh with mTLS and pod-level isolation.
Zero trust flow Device (authenticated) Policy Engine Identity Provider Resource (protected) request identity allow/deny Every request verified independently — regardless of source or network
Compliance

Certified to the standards your industry demands.

AirMouse maintains active certifications and attestations across the world's most rigorous compliance frameworks.

SOC 2 Type II

Annual third-party audit of security, availability, and confidentiality controls. Report available under NDA.

Active · Audited 2024

ISO 27001

International standard for information security management systems. Certified by BSI Group.

Certified · BSI Group

GDPR

Full GDPR compliance with EU data residency, right to erasure, data portability, and DPA agreements for enterprise customers.

Compliant · EU region

HIPAA

On-prem AI deployment option and BAA agreements available for healthcare organisations handling PHI.

Available · BAA required

CCPA

California Consumer Privacy Act compliance. Opt-out of data sale (we don't sell data), right to deletion, and full data inventory.

Compliant · CA residents

FedRAMP

FedRAMP Moderate authorisation in progress. Air-gapped on-prem deployment available for federal agencies today.

In progress · 2025
tls handshake — session log
# TLS 1.3 session — 14:32:01
client   ClientHello
         TLS 1.3 · ECDHE-X25519
         AES-256-GCM-SHA384

server   ServerHello
         selected: X25519 · AES-256-GCM
         certificate: *.airmouseai.com
         OCSP stapled: valid

verify   ✓ cert chain valid
         ✓ CT log verified
         ✓ HSTS preloaded

session  established — forward secrecy active
Network security

Connections that are technically bulletproof.

Every connection uses TLS 1.3 with ECDHE for perfect forward secrecy, HSTS preloading, Certificate Transparency verification, and OCSP stapling.

  • Perfect forward secrecyCompromising today's key cannot decrypt past sessions.
  • HSTS preloadedBrowsers enforce HTTPS — no HTTP downgrade possible.
  • Certificate TransparencyAll certificates are logged in public CT logs and verified on connection.
Threat protection

Active defences that never sleep.

Our security team runs continuous penetration testing, automated anomaly detection, and a public responsible disclosure program.

Anomaly Detection

ML-based anomaly detection flags unusual access patterns — login from a new country, unusual clipboard volume, unexpected device pairings.

Real-timeML-based

Continuous Pentesting

Quarterly external red-team engagements plus a continuous automated scanning program covering web, API, mobile, and BLE attack surfaces.

QuarterlyExternal

Bug Bounty

Public responsible disclosure program on HackerOne with rewards up to $50,000 for critical vulnerabilities. All valid reports acknowledged within 24 hours.

HackerOneUp to $50K
FAQ

Security questions, answered honestly.

No. Voice inference happens entirely on your device — audio is never transmitted. Clipboard data is encrypted with a key that only your device holds. We are technically incapable of reading either, even if compelled.
All your data is deleted from our servers within 30 days of cancellation. You can also request immediate deletion from your account settings. We don't retain data for analytics or any other purpose after account deletion.
Yes. AirMouse uses Bluetooth for device-to-device communication — no corporate network traffic is generated during normal operation. Cloud sync (if enabled) uses TLS 1.3 on standard HTTPS port 443. The application has been reviewed and approved by security teams at Fortune 500 companies.
Screen Intelligence is opt-in and requires explicit macOS/Windows screen recording permission. When active, AirMouse reads the screen content in memory to interpret commands — but immediately discards the content. No screenshots are saved, transmitted, or logged.
All Bluetooth communication is encrypted at the application layer using AES-256-GCM with session keys derived via ECDH. Even if the Bluetooth link layer were compromised, the data would be unreadable without the session keys, which never leave your devices.
Yes. AirMouse is fully offline-capable. All core features — mouse, keyboard, voice, gestures, workflows — work via Bluetooth without any internet connection. Cloud sync and workflow backup are optional features that can be disabled in settings.
We publish an annual transparency report detailing all government requests received. We challenge overbroad requests legally. For most user data, we are technically incapable of providing it because of our encryption model — we don't hold decryption keys.
We offer HIPAA-compliant configurations for enterprise customers, including BAA agreements and on-prem AI deployment so no PHI leaves your network. Contact our enterprise team to discuss your specific requirements.
Transparency

Full transparency, every year.

We publish an annual transparency report covering government data requests, security incidents, bug bounty statistics, and third-party audit results. We believe you have the right to know.

0
Security incidents
0
Govt requests received
0
Data disclosed
0
Bugs resolved via bounty
Read full report 2024 Enterprise security

Annual Transparency Report

Published every January. Covers all government requests, security events, third-party audits, and vulnerability disclosures from the prior year.

Zero security incidents in 2024
3 government requests — 0 data provided
SOC 2 Type II + ISO 27001 maintained
47 bounty reports resolved (avg. 18h)
Download with confidence

Your data, your devices, your rules.

AirMouse is end-to-end encrypted, AI runs on-device, and your privacy is non-negotiable. Download free today.

Download free Enterprise security