// Trust & Security Report
Mesh Intelligent Technologies, Inc. (Pieces)
Pieces for Developers — on-device AI long-term memory / context engine for developers (LTM-2)
Certifications held
4
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on pieces.app“We maintain SOC 2 compliance, a gold standard for managing customer data with strict controls across security, availability, and confidentiality. This ensures our infrastructure is built to meet the rigorous demands of enterprise environments.”
Verify on pieces.app“We collect and process personal information to provide you with the Services and for our legitimate business needs and interests, including the management of our user relationships... To the extent we process your personal information for other purposes, we ask for your consent in advance, which you may withdraw at any time. You may request a copy of the personal information that we hold about you.”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not stated
Data region
US-based vendor (1311 Vine St., Cincinnati, OH 45202). Data is local/on-device by default. For any cloud-processed data, privacy policy states: 'Your personal information may be transferred, stored, or processed on servers outside of your home country' using legally-approved transfer mechanisms. No specific data-residency selection / region pinning is advertised.
Vendor explicitly and repeatedly states user data is never used to train models. Security page: 'User data is never used to train any model at Pieces. Instead, our nanomodels are trained exclusively on synthetic datasets generated using non-user-derived Oracle models.' Architecture is local-first / on-device by default; nothing is sent to the cloud unless the user explicitly initiates it. Optional cloud LLM features (e.g. OpenAI, Claude) send only the user's immediate prompt scope, not full memory logs.
// Security controls
Architecture
Local-first, on-device by default; offline-first with no background sync, no passive telemetry. 'Pieces runs on-device. It's fast, secure, and air-gapped from the cloud.'
pieces.appAuthentication
Auth0-backed; supports MFA. 'Authentication is handled through Auth0... including multi-factor authentication (MFA), to ensure that only verified users can access sensitive data.'
pieces.appSecurity auditing / penetration testing
Regular security audits stated: 'We perform regular security audits to assess, validate, and improve our systems.' No explicit third-party penetration testing language found.
pieces.appEncryption
Cloud backup/restore data is encrypted in transit/storage: 'Cloud-based backup and restoration... involves zipping and encrypting the user's local database and transmitting it for temporary storage.' No explicit at-rest/in-transit encryption standard (e.g. AES-256/TLS 1.2+) stated.
pieces.appData minimization to cloud
'Data transferred to cloud-based models (e.g., OpenAI, Claude) is pre-filtered and scoped to the user's immediate prompt... Pieces does not send full memory logs or raw content archives to any third-party service.'
pieces.app// Products & data scope
data: All user content (code, snippets, memory, interaction history) processed and stored locally on the device. Nanomodels run on-device. No cloud sync by default.
Core product. Privacy-by-default, air-gapped from cloud unless user opts into cloud features.
data: Captures context within connected tools; connects personal context to LLMs like GitHub Copilot, Claude, Cursor, Goose via MCP. Local-first; cloud LLM calls send only immediate prompt scope.
MCP integration extends memory to third-party agents; data leaving the device is user-initiated and scoped.
data: When explicitly enabled, sends minimum prompt-scoped data to third-party LLM providers (OpenAI, Claude) or transmits an encrypted zip of the local DB for temporary backup storage. No persistent cloud sync.
Opt-in only. Users can also bring their own LLM key or use local model providers.
// What to watch
- SOC 2 is asserted on the vendor's own security page but no SOC 2 Type I/II designation, auditor, report date, or trust-center download portal was found — cannot independently confirm an active attestation report.
- No dedicated trust center (e.g. Vanta/Drata/SafeBase portal); only a static /legal/security page.
- No bug bounty program (HackerOne/Bugcrowd) and no explicit third-party penetration testing language found.
- No explicit DPA document located; privacy policy references sub-processors but does not surface a downloadable DPA.
- No stated encryption standard (algorithm/TLS version) beyond 'encrypting' backup zips.
- Strong positive: clear, repeated, unambiguous statement that user data is never used to train models, plus a genuine local-first/air-gapped-by-default architecture.
// At a glance
Pricing model
Free downloadable developer tool (Windows/macOS/Linux); freemium positioning with optional cloud features and bring-your-own-key. No public enterprise pricing tier verified.
Self-hostable
Not stated
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Mesh Intelligent Technologies, Inc. (Pieces)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
pieces.app