Security
Architecture: local-first by design
CoworkRunner is a desktop application that runs on your Mac, not a website you log into. There is no CoworkRunner cloud database holding your buyer names or contract details. Your data never travels through our infrastructure because we do not operate that infrastructure. This eliminates an entire category of cloud-breach risk.
What we protect, how
- RMS & Follow Up Boss credentials: stored in macOS Keychain, encrypted at rest by the operating system using your login credentials. Even another app running on your Mac cannot read them without the operating system's permission.
- Binary integrity: the CoworkRunner application is codesigned with an Apple Developer ID and notarized. macOS verifies the signature on every launch. A tampered binary will not run.
- Network calls: every outbound connection is over TLS 1.3 to a known endpoint (your RMS provider, Follow Up Boss, Anthropic's Claude API, your Stripe billing page). No traffic to third-party trackers, ad networks, or analytics services.
- Generated artifacts: PDFs are written to your local filesystem under your user account. Standard macOS file permissions apply. We do not upload them anywhere.
No system is unhackable
The best servers in the world get hacked. Data breaches happen at every scale. Real-estate professionals carry highly sensitive client information - financial details, signatures, contact information for high-value transactions - and they are increasingly attractive targets for cybercriminals.
CoworkRunner's local-first architecture reduces your exposure, but it does not eliminate it. Threats that remain include:
- Malware on your own Mac that bypasses operating-system protections
- Compromise of the third-party services CoworkRunner connects to (your RMS, Follow Up Boss, Anthropic)
- Phishing or social engineering against you directly
- Physical theft of an unlocked Mac with credentials still authorized in keychain
Recommended: add a second layer with Anthropic
CoworkRunner uses Anthropic's Claude API for the AI document drafting in Contract Studio, Transaction Coordinator, and Diamond Pipeline. Anthropic offers enterprise-grade security controls, audit logging, data residency options, and zero-data-retention configurations that go beyond what we provide as a desktop app on its own.
For high-value transactions, sensitive client data, or brokerage-wide deployments, we recommend setting up your own Anthropic account with enterprise security features configured for your needs. CoworkRunner can be configured to use your own Anthropic API key, which means the AI calls happen under your security controls, your audit log, and your zero-retention contract directly with Anthropic.
For details: contact Anthropic directly, or email us and we will help you configure CoworkRunner against your own Anthropic deployment.
What you should do
- Use FileVault disk encryption on your Mac (macOS > System Settings > Privacy & Security > FileVault)
- Lock your screen when you walk away. Use Touch ID or a strong password.
- Keep macOS updated. CoworkRunner requires macOS 14+; newer versions ship security patches you want.
- Use unique, strong passwords for your RMS and Follow Up Boss accounts. Use a password manager.
- For brokerage-wide use: consider configuring CoworkRunner against your own Anthropic enterprise account for unified audit logging.
Reporting a security issue
If you discover a security vulnerability in CoworkRunner, please email security@coworkrunner.com. We treat security reports as the highest priority correspondence we receive. We will respond within 48 hours and credit responsible disclosure.