Yaak Logo
Yaak
Docs/Getting Started/Security and Privacy

Security and Privacy

Where your data lives, what leaves your machine, and how secrets are protected

Yaak is a local-first desktop app that treats API requests and responses as sensitive. As a result, Yaak is often chosen over cloud-based alternatives for security and privacy reasons. In short:

  • All data stored locally, no account required
  • Requests never go through a proxy
  • Secrets encrypted with OS keychain keys
  • No built-in AI
  • MIT-licensed open source

Where your data lives

Yaak stores requests, environments, response history, and settings on your device in a local SQLite database. There is no cloud component, and no account is required to use the app.

Directory sync can also be enabled, to sync a workspace data to plain text files for use with Yaak’s built-in Git functionality, or file-sync services like Dropbox.

When data leaves your machine

The API requests you send go directly to the servers you send them to, unlike other apps that may send requests through a cloud proxy. Beyond that, Yaak makes a small number of network requests to power core functionality like:

  • Checking for app updates (can disable)
  • Checking for notifications (can disable)
  • Fetching the plugin directory when you browse or install plugins
  • Validating a license key if one is in use

There are no analytics and no tracking in the app.

Secrets encryption

Yaak also offers the ability to encrypt specific values with the app on a per-workspace basis using the secure(...) template function.

Encrypted values in Yaak

Encrypted values stay obscured in the UI

These values are encrypted with ChaCha20-Poly1305. The master key is stored in the host OS keychain, and each workspace gets its own key so encrypted values can be committed to Git and shared safely. Fields known to contain sensitive data (authorization headers, passwords, environment values) are encrypted by default once encryption is enabled.

See Secrets Encryption for setup and details.

AI and agents

Yaak ships without built-in AI. No AI features run in the app and no request data is sent to AI providers.

Connecting AI is your choice, made externally: the CLI lets terminal agents like Claude Code create and send requests, and the MCP Server plugin exposes workspaces to any MCP-compatible assistant. Neither is active unless you set it up.

Open source

Yaak is MIT-licensed. The source can be audited, modified, and built from scratch.

Compliance notes

Because Yaak does not store, sync, or transmit your data, there is no vendor data processing to assess: your data never reaches Yaak’s servers. For HIPAA specifically, Yaak does not process PHI on behalf of users and therefore does not meet the definition of a Business Associate, so BAAs are not signed.

Questions? Email help@yaak.app.

Was this helpful?

Loading...