Architecture · Trust anchor

Your files stay on the device. Full stop.

Watch Dog is local-first by design. All scanning happens in the browser, and only content-free audit metadata ever leaves it — the opposite of API/agent DLP that ships your data to a vendor cloud.

API/agent DLP vs. Watch Dog

Where your file content actually goes tells you everything about the risk.

API / agent DLP
Your fileVendor cloud

File content is shipped off-device to a third-party cloud to be scanned. More surface area, more risk, a harder privacy review.

Watch Dog
Your file Scanned on-device

Scanning happens in the browser. Only content-free audit metadata reaches your org's isolated database. File bytes never leave the machine.

How local-first keeps data safe

Scanning is 100% on-device

Every scan runs in the browser. File bytes are never uploaded to Watch Dog or any third party to be inspected.

Temporary data is purged

Once a scan completes, Watch Dog discards the working data it used. Nothing lingers and nothing is transmitted.

Only metadata is stored

The dashboard receives content-free audit metadata — event, rule matched, domain, user, timestamp — never file content.

Isolated per organization

Audit data lives in your org's Supabase, protected by row-level security so tenants can never see each other's events.

The easiest privacy review you'll do this quarter.

When file content never leaves the device, most of the hard questions in a vendor security review simply don't apply. We're happy to walk your team through the architecture and provide a DPA on request.

Ready to close the human-error gap in your DLP?

Book a demo to see the org dashboard, or add the free extension and try pre-upload interception yourself.