Schalliol Automation

← Back to HearthPilot

Privacy & Security architecture

This page is a security-architecture statement, not a legal privacy policy. A formal privacy policy will be published before the App Store launch in August 2026, under review by counsel. The statements below describe how the HearthPilot product is engineered; the formal policy will describe legal terms, jurisdictions, and your rights.

The principle

Schalliol Automation cannot read your credentials, device state, automation history, or any home media — even with full physical access to our servers, even under legal compulsion. Anyone can verify this from published binary hashes.

This is the differentiator the wedge customer pays for. Compromising on it later destroys the brand permanently, so we ship it from day one.

The trust pyramid

The cloud is the least-trusted tier; your device is the most. The whole stack inverts standard SaaS trust.

  • Your device — iPhone, iPad, Mac, Apple TV — holds the trust root. A per-household master key is derived from Sign in with Apple plus a passkey held in the Secure Enclave. Recovery is mirrored to iCloud Keychain so you own it, not us.
  • The Bridge (optional) — a light-duty ethernet appliance in your home. If present, it holds primary key custody, runs your LAN-only adapters, and keeps safety-critical automations online when your internet isn't. Identified by an ed25519 device key; attestable from your phone.
  • The HearthPilot Brain (cloud) — runs inside AWS Nitro confidential-compute enclaves. The enclave's binary hash is published to a public transparency log (Sigstore). Your device verifies what's running before it releases ciphertext.

What we actually have

On our servers, in our database backups, in any subpoena response we could produce: a per-household envelope-encrypted blob whose key never leaves the attested enclave. We don't hold the key. Our employees don't hold it. A breach of our infrastructure produces ciphertext.

Apple Private Compute Cloud as prior art

This is the architectural pattern Apple ships as Private Compute Cloud for Apple Intelligence. Apple PCC itself is internal Apple infrastructure — not a third-party service we can host on. We implement the same pattern on AWS so we control the full stack.

Recovery

Passkey + recovery contact (Signal-style social recovery), or Apple ID account recovery. You always have a path back into your data; we never have a path into it.

Open auditability

Production enclave binary hashes are published in a Sigstore transparency log; clients verify what they're talking to before sending ciphertext. We will publish the verification procedure publicly so any user — or any researcher — can confirm the runtime matches the open audit.

What's covered, what isn't

The architecture above applies to the HearthPilot product: your devices, your credentials, your home state, your automation history — once you are a paying customer of the Brain.

The HearthPilot waitlist (this site's email signups, when the form goes live) will be stored in a third-party email service. The privacy architecture above does not apply to the marketing waitlist — the marketing list contains email addresses only, never device credentials or home data.

Questions, reports, audits

For security disclosures, email security@hearthpilot.com. For privacy questions, privacy@hearthpilot.com. Reports are read by the founder.