• API keys are loaded from .env or UI input
• Keys are never logged or stored in plain text

• All processing happens locally
• No documents are uploaded or stored externally

If you discover a security issue, please open a GitHub issue or contact the author privately.