Security and privacy

Private by construction, not by policy.

Most org-intelligence tools ask you to connect production and trust their cloud with your metadata. Skemia removes the question entirely: the analysis runs on your machine, reads source only, and never connects to your org.

Source-only

The analysis reads your DX source and metadata files. It never authenticates to an org, never stores credentials, and never needs the Salesforce CLI to build the map.

Offline-capable

The Studio, the engine, and the CLI run on your machine. No cloud service, no telemetry beacon, no metadata upload. Pull the network cable and it still works.

On your hardware

Your code and metadata stay on the box you run it on. Nothing is sent anywhere to be processed, so there is no third-party data processor to vet.

The difference

Local tool vs cloud tool.

Skemia Org-connected cloud tools

Where analysis runs Your machine Vendor's cloud

Connects to your org Never (analysis) Yes, required

Metadata leaves your box No Yes

Works offline Yes No

Credentials needed None Org auth

Data processor to vet None The vendor

Every inferred edge in the map carries a confidence: High for explicit references, Medium for inferred, Low for text or dynamic. You always know what is fact and what is a lead.

Questions

The details a security reviewer asks.

How does the optional org pull work then?

On Pro and up you can pull a connected org, but Skemia does not connect itself. It shells out to your own authenticated Salesforce CLI to run the retrieve, exactly as you would by hand, then reads the retrieved source. The credentials and the connection are entirely yours.

Is any data sent anywhere?

No. There is no telemetry and no metadata upload. The one exception is fully opt-in: if you turn on OpenAI for semantic search, component names and inferred purposes are sent to OpenAI, and the tool warns you first. The local default (Ollama) sends nothing.

Can I run it in a locked-down environment?

Yes. That is the point. It runs air-gapped, behind strict firewalls, and on client hardware where a cloud tool is a non-starter. The binary is self-contained.

How are the binaries distributed?

The source stays in a private repo. Only compiled binaries are published, with SHA-256 checksums you can verify. Builds are not code-signed yet, so the OS shows a first-run warning that you clear once.

How is licensing enforced?

A license is a signed token verified locally with a public key. There is no license server call. Keys can be perpetual or time-limited, and machine-locked on request.

Nothing to trust us with

Run it on your own machine, today.

Download Skemia free. Source-only, offline, no account, no org connection.

Download free Book a demo