Skip to content
D
DetachDev
Log in Get started
Features Remote access How it works Security Pricing FAQ
Log in Get started
Security & trust

Your code stays
on your machine.

DetachDev relays commands and output between your AI client and Claude Code. Your source code is never stored on our platform — and every action that crosses the wire is logged.

The fundamental guarantee

We relay.
We never store
your code.

DetachDev sits between your AI client and Claude Code on your dev machine. It passes commands in, streams output back out. That's the entirety of what it does with your source code. Nothing is persisted on the platform — not your files, not your project structure, not the code Claude is writing.

What is stored: session metadata, prompts, tool call records and audit events. All of it is yours to export or delete.

Source code stays local

Files are read and written by Claude Code on your machine. DetachDev never receives file contents.

Sessions execute locally

Claude Code processes run on your hardware, in your environment, under your OS user account.

You control what's retained

Session history and search are opt-in per plan. Retention periods are configurable. You can delete at any time.

All activity is attributed

Every command, approval and tool call is logged with the user, device and timestamp that triggered it.

Visibility

Everything that happens is logged

DetachDev's logging model is designed around one principle: you should always be able to answer "who did what, on which machine, and when."

📜

Immutable audit log

Every MCP call is recorded in an HMAC-SHA256 hash chain. Entries are tamper-evident and queryable via API and dashboard.

🕐

Full attribution

Every logged event carries the user ID, device ID, session ID and a UTC timestamp. No anonymous actions.

🔍

Session history & search

Browse and full-text search past prompts, tool calls and responses across all devices and projects.

📊

SIEM export

Stream audit events to your security platform via REST polling, webhook push or syslog in JSON, CEF or LEEF formats.

🗓️

Retention controls

Define retention periods per data type — session logs, request records, audit archives. Automated cleanup respects legal holds.

⚖️

Legal hold & DSAR

Place holds on data for specific users, devices or organisations. Process data subject access requests with deadline tracking.

Network

Outbound-only. No open ports.

The DetachDev client daemon initiates a single outbound WebSocket connection to the platform. Your dev machines never listen for inbound traffic — there is no attack surface to expose.

How the connection works

  • Client daemon dials out to the platform over WebSocket on startup
  • No inbound ports opened on your dev machine
  • All traffic encrypted with TLS — configurable certificates and ciphersuites
  • Connection authenticated with a per-device token before any commands are accepted

What flows across the wire

  • MCP tool call parameters and responses — commands and structured output
  • Session status events — lifecycle transitions and permission prompts
  • No file contents, no source code, no environment variables
  • All payloads encrypted in transit end-to-end

Access

You control who can do what

Access to DetachDev is layered — platform authentication, device identity and per-user permissions are all independent controls. Revoke any one of them independently.

Authentication

  • Sanctum bearer tokens for API access
  • Shared secrets for device-to-platform auth
  • OAuth 2.1 with PKCE for external integrations
  • Social sign-in via GitHub and Google
  • TOTP-based MFA on all accounts

Device identity

  • Each device gets its own token — bcrypt hashed
  • Tokens verified on every request, not just at connection
  • Revoke a device instantly from the dashboard
  • mTLS support for mutual certificate-based auth
  • IP allow-lists per organisation

Team permissions

  • Four roles across 16 granular permissions
  • Separate view, replay, export and restore rights
  • Override defaults per organisation
  • All permission checks enforced at every API endpoint
  • SAML 2.0 SSO with JIT provisioning (Business+)

Enterprise

Built for regulated environments

For organisations where compliance is non-negotiable. Available on Business and Enterprise plans.

Encryption at rest

Field-level AES-256-GCM with per-organisation keys. Key rotation without re-encrypting existing data.

Key management

Pluggable KMS supporting AWS KMS, HashiCorp Vault and local providers. Admins cannot read plaintext.

Data residency

Assign organisations to geographic regions — US, EU, AU — with enforced data placement.

Break-glass access

Recover master keys via Shamir's secret sharing. K-of-N threshold with full ceremony audit trail.

SCIM 2.0 provisioning

Automated user and group lifecycle from your identity provider. Create, update, deactivate.

On-prem deployment

Run the DetachDev platform entirely within your own infrastructure. No data leaves your environment.

Custom retention

Define retention windows per data type across the platform. Immutable audit logs are exempt from cleanup.

Dedicated support

Named support contact, SLA commitments and security review assistance for enterprise customers.

Questions about security?

Talk to us about your organisation's requirements — compliance, encryption, residency, or on-prem deployment.

Contact us View plans