We used their products. They took our data. Now they want to replace us with AI.
Every document you wrote in Google Docs. Every file you stored in Dropbox. Every task you logged, every note you took — it all lives on someone else's server, under someone else's terms.
You were the customer. Then your data became the product. Now that same data is training the AI that companies are selling back to you — or using to replace you entirely.
This isn't a prediction. It's already happening. And the tools you trusted made it possible because that's what they were designed to do.
Facets is built on a different premise: your work is none of my business.
Your tools should work for you, not phone home.
Most apps you use — Notion, Google Docs, Dropbox, Slack — are cloud-first. That means your data lives on their servers. The app is just a window into their system. If they go down, you can't work. If they change their terms, you comply or leave. If they decide to train an AI on your content, it's already there.
Local-first is the opposite. The app runs on your machine. Your data lives on your device. The internet is optional — you can work offline, on a plane, in a cabin with no signal, and nothing breaks. When you do connect, changes sync between your devices, end-to-end encrypted.
The difference matters because it changes who's in control. With cloud-first tools, the company holds your data and grants you access. With local-first tools, you hold your data and choose whether to share it.
This isn't a privacy toggle in the settings. It's how the entire system is designed, from the ground up.
Facets runs on your machine. When you sync, everything is end-to-end encrypted before it leaves your device. The server stores encrypted blobs — not your files, not your notes, not your tasks. I couldn't read your data if I wanted to.
That's the promise. If you want to know exactly how we keep it, the technical details are below — we built this for the kind of people who check.
The receipts.
End-to-end encryption
All data is encrypted on your device before it touches the network. Encryption keys are derived locally using the WebAuthn PRF extension — your passkey is the root of trust, not a password stored on a server. The server never holds plaintext content or encryption keys.
Group key management — OpenMLS (RFC 9420)
Collaborative spaces use the Messaging Layer Security protocol (RFC 9420) via the OpenMLS implementation for group key management. When someone joins or leaves a space, key epochs rotate automatically. Forward secrecy and post-compromise security are built into the protocol — compromising one session doesn't expose past or future data.
Sync architecture
Sync runs through a Rust-native encrypted envelope system using Noise-Like Sessions (NLS) over WebSocket. The relay is a dumb pipe — it forwards encrypted payloads without the ability to inspect them. CRDTs handle conflict resolution, but the CRDT data is an opaque encrypted substrate from the server's perspective.
Formal verification
Security claims aren't just tested — they're formally verified. The core security engine has been modelled in TLA+ for protocol correctness and verified in Isabelle/HOL for cryptographic properties. This means the security guarantees aren't 'we think this is right' — they're 'we proved this is right, mathematically.' Most productivity tools don't do this. Most encryption tools don't do this. We did it because your work deserves more than a pinky promise.
Storage
File sync uses Backblaze B2 as the blob store with Cloudflare Workers as the coordination layer. Files are encrypted client-side before upload. The storage backend is abstracted — if you want to point it at your own infrastructure, the architecture supports it.
Open source
The code is public under AGPL. You don't have to take my word for any of this — read it yourself.
Architecture diagram
