Home / Security

Audit the code. Run it in your VPC.

No hosted backend and no telemetry: your call recordings stay on your machine, and every network action is one you named.

  • 0telemetry
  • 0runtime deps
  • 5evidence tiers
  • MITlicense
nothing to audit but the standard library
git clone https://github.com/attenlabs/hotato
pip install hotato
# -> zero runtime dependencies pulled

# re-derive a verdict from its own evidence
hotato conversation verify ./call-artifact
the source
$ git clone github.com/attenlabs/hotato
Audit the code

The posture reads straight from the source.

Installing the core pulls zero runtime dependencies, so there is nothing to audit but the standard library. The whole scoring, scanning, and analysis surface reads local files and writes local files.

Because artifacts are content-addressed and evidence is portable, you can re-derive a verdict straight from its inputs. The repository is public: github.com/attenlabs/hotato.

Zero egress by default

Offline is the default path.

Scoring, scanning, input-health checks, reports, fixtures, and the workspace read the local files you point them at and open no sockets. Network access happens only when you run a command whose job is to reach out, against a stack you configured.

A script in the repository proves it: it runs the workspace on a Docker network with egress physically removed and shows a view still returns a success. Proxy variables are honored like curl and pip; TLS certificate validation is never turned off.

Self-host: the data-residency answer →

prove the default path200 · offline
run the zero-egress proof
$ ./deploy/verify-zero-egress.sh
No telemetry
There is no analytics or phone-home code path and no hosted backend.
Credentials 0600
connect writes stack credentials owner-only, with no network round-trip on store.
Local retention
Reports, envelopes, and exports exist only where you wrote them.
Per-command egress

Every command, and exactly when it reaches the network.

Derived straight from the code. If a command is not listed as reaching out, it opens no socket. The off-box paths are named, gated, and refused by default.

What talks to the network, command by command
CommandEgressReaches, and when
run, report, assert run, test run (local judge), servenoneFully local. Reads the files you point them at, writes local files, opens no socket.
connectnoneStores a stack's credentials at file mode 0600. No audio moves; no round-trip on store.
capture, pull, sweepyour providerFetches the recordings you named from a voice stack you connected, into a local folder.
inspectyour providerReads (never writes) the current turn-taking config. Read-only.
hosted judge --judge-provider hostedrefusedRefused unless you pass --judge-egress-opt-in. The default judge is a local Ollama model that never leaves the box.
hosted diarizer --diarizer pyannoteairefusedThe one off-box audio path. Refused unless you pass --egress-opt-in. The default diarizer is local.
drive a live call (Vapi / Twilio)double-gatedPlaces a billable call only with valid credentials and HOTATO_DRIVE_OPT_IN=1. Absent either, it dials nothing.

A capability that lacks its input for a given run returns inconclusive, the same behaviour whether you self-host or not.

Five evidence tiers

How strong the evidence is, on its weakest dimension.

Every result carries a machine-readable tier. The public tier is the weakest required dimension, taken as a minimum. It is never blended or averaged, and uncertainty only pulls it down.

  • tier 0none
  • tier 1asserted
  • tier 2measured
  • tier 3paired
  • tier 4attested

measured recomputes from audio on one clean recording. paired binds a before/after in one manifest, both recomputed under one pinned policy. attested adds a signed policy and an attested capture origin. A tier is earned only when a signature verifies.

recompute gate · what it turns away
verify re-hashes the bound children, then checks the Ed25519 signature over the manifest.
Signed manifest, capture origin attested, key verifiesattested
Audio swapped after signing, manifest hash no longer matchesrefused
Verified with the wrong public keyrefused
A tampered proof is refused outright, at tier none.
Signed evidence

Sign the record. Anyone can check it with the public key.

Evidence signing is Ed25519 and opt-in via the [sign] extra. A verifier needs only the public key (no shared secret) and re-derives the verdict from the bound inputs.

If the audio was swapped, the manifest altered, or the wrong key presented, verification refuses. A signed artifact stays checkable by anyone who holds the public key.

Threat model

Three things Hotato will not do.

The precise split between what runs offline, what reaches out only when you ask, and the boundaries that hold in every configuration.

Guarantee 01

Never mutates production by default

No command changes a live stack's config on its own. A plan and patch are proposals; apply operates on a fresh staging clone and dry-runs by default.

Guarantee 02

Never uploads recordings to Attention Labs

There is no hosted backend and no phone-home. Audio moves only from your stack to your disk, and only when you run a pull, capture, or sweep.

Guarantee 03

Never treats a webhook as instructions

The ingest worker reads a completed-call notification as data: it extracts a recording reference and scans it. Payload fields are never executed.

The full threat model →

Certification

No badge to show. Something better to offer.

There is no SOC2, HIPAA, or other certification, and we will not claim one we do not hold. What we can offer answers the same question a badge is meant to: where does the data live, and can you check the controls.

Read the source. Run the per-command egress table against it. Deploy the whole platform inside your own VPC, so the recordings never leave the environment you already trust.

Run it in your own VPC →

Where the data lives

Self-host is the residency control: audio, transcripts, traces, and evaluations stay inside your boundary. Compliance operations, including SOC2, arrive on the managed offering only once certified.

Status policy

You run it, you own the uptime. There is no shared status page to point a red light at, because the workspace runs on your own infrastructure.

Reporting

Send vulnerabilities to security@attentionlabs.ai. Keep anything touching recordings, consent, or PII out of public issues.