Skip to main content
Security & Privacy

Security and Privacy Overview

How Mouse protects your code, your data, and your privacy: local-only, zero dependencies, zero telemetry

Local-Only Architecture

Mouse runs entirely on your machine. It is a local MCP server that processes all file navigation and editing operations on your own device. No code, no file content, and no user data ever leaves your machine through Mouse.

Although Mouse implements the Model Context Protocol (MCP) using stdio transport and the JSON-RPC 2.0 message format, every interaction between your AI coding assistant and Mouse occurs through this local server. No Internet connectivity is required for Mouse's operation. The only network interaction is the license heartbeat, described below.

Zero Dependencies

Mouse is built with approximately 33,000 lines of ES6-compliant JavaScript and contains zero third-party dependencies. The entire MCP implementation is custom-built for security and performance, resulting in an ultra-lightweight installation bundle of about 1.3MB.

This zero-dependency architecture significantly reduces the attack surface. There are no transitive dependencies to audit, no supply chain vulnerabilities to monitor, and no third-party code paths that could introduce unexpected behavior. What you install is what we wrote.

Security Practices

Mouse is built with security best practices applied across the entire codebase:

  • Input validation. All tool inputs are thoroughly validated before processing. File paths, line numbers, column positions, and content parameters are checked against the actual file state before any operation is performed.
  • Error handling. All operations include error handling that provides helpful guidance to the AI assistant without exposing internal implementation details.
  • Regex security. Mouse's find_in_file tool includes a custom regex engine built specifically to prevent ReDoS (Regular Expression Denial of Service) attacks. Strict input validation and execution timeouts prevent user-supplied patterns from causing unbounded computation.
  • OWASP compliance. Thorough consideration of the OWASP Top 10 and CWE official documentation was applied across the codebase so that Mouse meets the highest security standards.

Testing and Reliability

Test coverage exceeds 95%, including unit tests, integration tests, and extensive manual validation. Mouse has been used in production development workflows for months with no known security vulnerabilities reported.

Zero Data Collection

Mouse collects no data about you, your files, or your usage patterns.

  • No logs. Mouse does not write any log files. This is by design. The best way to avoid leaking user data is to avoid collecting it in the first place.
  • No telemetry. Mouse does not collect usage data, analytics, crash reports, or any other type of telemetry. While telemetry infrastructure was built for internal research, it was deliberately excluded from the product offered to users.
  • No local storage. Mouse stores nothing on your local disk beyond the workspace initialization files (the .hic directory and MCP configuration file created when you run Mouse: Initialize Workspace). The license key is never stored locally. Staged edits are held in memory and written to disk only when you save, and no temporary files are created.

The License Heartbeat

The sole network interaction that Mouse performs is its license heartbeat, designed with user privacy as the foremost concern:

  • The heartbeat validates the user's device against the active license by transmitting a unique device identifier. After the initial activation (which requires browser-based authentication), the license key itself is never transmitted again.
  • No personally identifiable information is transmitted during the heartbeat.
  • No usage data. No file names, no edit operations, no token counts, no session information.
  • No crash reports. If something goes wrong, we don't automatically collect or transmit any diagnostic data.

The heartbeat exists solely for license validation and ensuring compliance with the terms of service. It is designed to be as lightweight and privacy-conscious as possible.

NOTE

Enterprises with requirements to operate in a fully offline environment should contact sales@hic-ai.com to discuss options for an offline licensing mechanism.

Privacy Policy and Compliance

We maintain a detailed Privacy Policy that explains how we handle user data and what measures are in place to protect it.

  • GDPR. Mouse is designed to support GDPR compliance. Web traffic analytics are powered by Plausible, with all data stored in the EU.
  • PCI. We do not handle, receive, process, manage, or store customer payment details. All payment processing is handled by Stripe and Stripe Managed Payments on our behalf.
  • Cookies. We use only required cookies: no tracking cookies, no advertising cookies, no third-party analytics cookies.
  • SOC 2. We intend to pursue a SOC 2 audit post-launch and will update our documentation accordingly once that is complete.

HIC AI, Inc. will never monetize user data in any way. We charge a recurring subscription fee for Mouse, and that fee means we never need to look to user data as a revenue source. We are committed to this principle.

Please do not hesitate to contact us at privacy@hic-ai.com with any questions about user data.

Security Contact

All security issues and responsible disclosure reports should be directed to security@hic-ai.com.