// Trust & Security Report

    Mesh Intelligent Technologies, Inc. (Pieces) logo

    Mesh Intelligent Technologies, Inc. (Pieces)

    Pieces for Developers — on-device AI long-term memory / context engine for developers (LTM-2)

    Certifications held

    4

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2
    HELD

    We maintain SOC 2 compliance, a gold standard for managing customer data with strict controls across security, availability, and confidentiality. This ensures our infrastructure is built to meet the rigorous demands of enterprise environments.

    Verify on pieces.app
    ISO 27001
    HELD
    Verify on pieces.app
    GDPR (regulatory compliance, not a certification)
    HELD

    We collect and process personal information to provide you with the Services and for our legitimate business needs and interests, including the management of our user relationships... To the extent we process your personal information for other purposes, we ask for your consent in advance, which you may withdraw at any time. You may request a copy of the personal information that we hold about you.

    Verify on pieces.app

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not stated

    Data region

    US-based vendor (1311 Vine St., Cincinnati, OH 45202). Data is local/on-device by default. For any cloud-processed data, privacy policy states: 'Your personal information may be transferred, stored, or processed on servers outside of your home country' using legally-approved transfer mechanisms. No specific data-residency selection / region pinning is advertised.

    Vendor explicitly and repeatedly states user data is never used to train models. Security page: 'User data is never used to train any model at Pieces. Instead, our nanomodels are trained exclusively on synthetic datasets generated using non-user-derived Oracle models.' Architecture is local-first / on-device by default; nothing is sent to the cloud unless the user explicitly initiates it. Optional cloud LLM features (e.g. OpenAI, Claude) send only the user's immediate prompt scope, not full memory logs.

    // Security controls

    Architecture

    Local-first, on-device by default; offline-first with no background sync, no passive telemetry. 'Pieces runs on-device. It's fast, secure, and air-gapped from the cloud.'

    pieces.app

    Authentication

    Auth0-backed; supports MFA. 'Authentication is handled through Auth0... including multi-factor authentication (MFA), to ensure that only verified users can access sensitive data.'

    pieces.app

    Security auditing / penetration testing

    Regular security audits stated: 'We perform regular security audits to assess, validate, and improve our systems.' No explicit third-party penetration testing language found.

    pieces.app

    Bug bounty

    None advertised. No HackerOne or Bugcrowd program found on vendor pages.

    pieces.app

    Encryption

    Cloud backup/restore data is encrypted in transit/storage: 'Cloud-based backup and restoration... involves zipping and encrypting the user's local database and transmitting it for temporary storage.' No explicit at-rest/in-transit encryption standard (e.g. AES-256/TLS 1.2+) stated.

    pieces.app

    Data minimization to cloud

    'Data transferred to cloud-based models (e.g., OpenAI, Claude) is pre-filtered and scoped to the user's immediate prompt... Pieces does not send full memory logs or raw content archives to any third-party service.'

    pieces.app

    // Products & data scope

    Pieces Desktop (Windows / macOS / Linux) + LTM-2 engineOn-device AI memory / context capture for developers

    data: All user content (code, snippets, memory, interaction history) processed and stored locally on the device. Nanomodels run on-device. No cloud sync by default.

    Core product. Privacy-by-default, air-gapped from cloud unless user opts into cloud features.

    Pieces Plugins (VS Code, JetBrains, Chrome, etc.) + MCP integrationIDE / browser / agent integrations

    data: Captures context within connected tools; connects personal context to LLMs like GitHub Copilot, Claude, Cursor, Goose via MCP. Local-first; cloud LLM calls send only immediate prompt scope.

    MCP integration extends memory to third-party agents; data leaving the device is user-initiated and scoped.

    Optional cloud LLM / backup-restore featuresCloud add-ons

    data: When explicitly enabled, sends minimum prompt-scoped data to third-party LLM providers (OpenAI, Claude) or transmits an encrypted zip of the local DB for temporary backup storage. No persistent cloud sync.

    Opt-in only. Users can also bring their own LLM key or use local model providers.

    // What to watch

    • SOC 2 is asserted on the vendor's own security page but no SOC 2 Type I/II designation, auditor, report date, or trust-center download portal was found — cannot independently confirm an active attestation report.
    • No dedicated trust center (e.g. Vanta/Drata/SafeBase portal); only a static /legal/security page.
    • No bug bounty program (HackerOne/Bugcrowd) and no explicit third-party penetration testing language found.
    • No explicit DPA document located; privacy policy references sub-processors but does not surface a downloadable DPA.
    • No stated encryption standard (algorithm/TLS version) beyond 'encrypting' backup zips.
    • Strong positive: clear, repeated, unambiguous statement that user data is never used to train models, plus a genuine local-first/air-gapped-by-default architecture.

    // At a glance

    Pricing model

    Free downloadable developer tool (Windows/macOS/Linux); freemium positioning with optional cloud features and bring-your-own-key. No public enterprise pricing tier verified.

    Self-hostable

    Not stated

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Mesh Intelligent Technologies, Inc. (Pieces)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    pieces.app

    > Browse all vendor trust reports