Data Usage & Security

Lianwo Technology (Beijing) Co., Ltd. ("Lianwo Technology," "we," or "us") is committed to protecting data security. Below is how your data is handled based on your privacy settings:

Data Usage

1. If "Privacy Mode" Is Enabled

  • Our model providers will enable a zero-data retention mechanism.
  • Lianwo Technology may store some code data to provide additional features.
  • None of your code will ever be used by us or any third party for model training.

2. If "Privacy Mode" Is Disabled

  • We may use and store codebase data, prompts, editor actions, code snippets, and other code data and operation records to improve our AI features and train models.
  • When you explicitly choose to use a third-party model, prompts and limited telemetry data may also be shared with that model provider.
  • Some of our inference service providers may temporarily access and store model input and output content to optimize inference performance; such data is deleted after use.
  • When you explicitly choose to use a third-party model, prompts and limited telemetry data may also be shared with that model provider.

For more details on how model providers use data when Privacy Mode is disabled, please refer to our security page.

3. Additional Notes

  1. Even if you use your own API key, your requests still pass through our backend servers, where we perform final prompt construction.
  2. If you choose to index your codebase, we upload your codebase in small chunks to our servers to compute Vector Embeddings, but the plaintext code used for Embedding Computation is immediately destroyed after the request lifecycle ends.
  3. Vector Embeddings and metadata (hash values, file names) of the codebase may be stored in our database. We temporarily cache file contents on the server to reduce latency and network consumption.
  4. Files are encrypted using unique keys generated on the client side, and these encryption keys exist on the server only during the request.

Security Statement

We attach great importance to the security of your source code and developer environment. This page outlines the security design and safeguards of Lianwo Technology. Several large organizations trust and use Lianwo Technology, but please note that we are still continuously improving our product and enhancing our security capabilities. If you work in a highly sensitive environment, please exercise caution when using Lianwo Technology (or any other AI tool). We hope this page helps you understand our security progress and make a reasonable risk assessment.

1. Infrastructure & Client Security

Infrastructure Security

  • Transmission Encryption: All communication between the client and server is encrypted using TLS 1.2 or above, ensuring data is not intercepted or tampered with during transmission.
  • Encryption at Rest: Code embedding vectors and related metadata stored on our servers are encrypted using AES-256.
  • Access Control: We enforce strict least-privilege access controls on internal systems. Employee access to production data requires multi-factor authentication (MFA) and is recorded in audit logs.
  • Cloud Service Compliance: Our backend infrastructure is hosted on cloud providers that comply with international security standards such as SOC 2 and ISO 27001, ensuring physical security of data centers and network isolation.
  • Security Audits: We regularly conduct internal security reviews and penetration testing, promptly fix known vulnerabilities, and continuously follow up on security updates for dependent libraries.
  • Monitoring and Alerts: We implement real-time monitoring and alerting for abnormal server-side access, data breach risks, and suspicious behavior, so security incidents can be detected and responded to in the shortest possible time.

Client Security

  • Local Data Isolation: The Lianwo Technology client only sends the minimum amount of data necessary to the server when required. Credentials such as API keys are stored via the Electron safeStorage API, encrypted by the system Keychain (DPAPI / macOS Keychain) on Windows and macOS; on Linux, the security strength depends on the user's local keyring configuration (e.g., gnome-keyring, kwallet), and if the keyring is not properly configured, it may fall back to a weaker encryption method.
  • Client-Side Encryption Keys: Encryption keys used for codebase indexing are generated locally on the client. The server holds the key only during a single request and destroys it immediately after the request ends, fundamentally preventing offline decryption of server-side data.
  • Sandbox Isolation: Lianwo Technology runs AI-generated commands or code in an isolated environment before execution, preventing malicious code from directly affecting the host system.
  • Automatic Update Mechanism: The client supports automatic security updates, ensuring known vulnerabilities are patched promptly and users stay on the latest secure version without manual intervention.

2. Workspace Trust Disabled by Default

Lianwo Technology disables Workspace Trust by default. You can enable it by setting security.workspace.trust.enabled to true in settings. It is disabled by default to avoid user confusion between "Restricted Mode" and "Privacy Mode," and because the mechanism is complex and easily misunderstood (for example, even when enabled, it only protects against malicious folders and cannot guard against malicious extensions). We welcome community feedback on whether this feature should be enabled by default.

3. Extension Signature Verification

Lianwo Technology does not verify extension signatures for extensions downloaded from the marketplace by default. Specifically, extensions.verifySignature defaults to false in Lianwo Technology, whereas it is true in VS Code. If set to true in Lianwo Technology, a signature verification failure prompt will appear every time an extension is installed. We plan to support Extension Signature Verification in the medium term.

4. AI Requests

To provide various features, Lianwo Technology sends AI requests to our servers in the following scenarios:

  1. Asking questions in a conversation
  2. Each keystroke to support Lianwo Technology Tab completion
  3. Background context building, issue detection, and suggestions
  4. A typical AI request includes context: recently viewed files, conversation history, and relevant code snippets based on language server information.

5. Codebase Indexing

Lianwo Technology supports semantic indexing of your codebase, enabling it to answer questions based on the full code context and generate higher-quality code by referencing existing implementations. Codebase indexing is enabled by default and can be disabled in settings.

Workflow

  1. Chunk Upload: Lianwo Technology splits your codebase into small chunks, encrypts each chunk using a unique encryption key generated locally on the client, and uploads them to our servers.
  2. Embedding Computation: After decrypting the encrypted code chunks, the server calls the embedding model to compute their semantic vectors (embeddings). Plaintext code exists briefly in memory only during this computation and is immediately destroyed upon completion; it is never persisted.
  3. Vector Storage: The computed Vector Embeddings and associated metadata (e.g., file hashes, file names) are stored in encrypted form in our database for subsequent semantic retrieval.
  4. Retrieval and Response: When you initiate a code Q&A or completion request, Lianwo Technology vectorizes the query locally, performs similarity retrieval with the server over an encrypted channel, returns the most relevant code snippets as context, and ultimately generates a response.
  5. Key Lifecycle: Encryption keys are generated by the client and exist in server memory only during a single request. They are immediately destroyed after the request ends, ensuring the server cannot access your plaintext code outside of requests.
  6. Index Deletion: When you delete your account or manually clear the codebase index, all Vector Embeddings and metadata associated with that codebase are immediately deleted and fully purged from backups within 30 days.

6. Privacy Mode Guarantee

Privacy Mode can be enabled in settings or enforced uniformly by a team administrator. When enabled, we guarantee that code data will not be stored by model providers or used for model training. All users (Free / Pro) can enable Privacy Mode, and team members have it enforced by default. Over 50% of Lianwo Technology users have Privacy Mode enabled, and we take this guarantee very seriously.

Implementation

  • Provider-Level Zero-Retention Agreement: Lianwo Technology has signed data processing agreements with model providers (including Lianwo Technology's own model services), expressly stipulating that under Privacy Mode, model providers must not use any input or output data for model training, and must not retain any prompts or response content after the request is completed.
  • Request Header Marking: Each AI request carries a Privacy Mode identifier at the protocol level. The model service side automatically switches to a zero-retention processing flow based on this identifier, technically ensuring that data is not written to any training dataset.
  • Lianwo Technology-Side Data Isolation: Under Privacy Mode, Lianwo Technology servers do not write the prompts, code snippets, or response content from the request to log databases or use them for subsequent analysis; only essential billing and security audit logs are retained (excluding code content).
  • Team Enforcement Policy: Enterprise and team account administrators can set Privacy Mode as mandatory in the admin console. This policy applies to all members of the team and cannot be disabled by individual members, ensuring organization-level data compliance.
  • Audit and Verification: We regularly conduct internal audits of the technical implementation of Privacy Mode to verify that data flows comply with our commitments, and we have alert mechanisms for any violations of Privacy Mode agreements.
The Privacy Mode guarantee is one of our most important commitments to users. If you discover any situation that may violate this guarantee, please notify us immediately via the contact information below.

7. Account Deletion

You can delete your account at any time in the settings panel (click "Advanced → Delete Account"). This operation deletes all data associated with your account, including indexed codebases. We guarantee complete data removal within 30 days (data is deleted immediately; some database and cloud storage backups are retained for no more than 30 days).

Please note: If you had not previously enabled Privacy Mode, your data may have been used for model training. Existing trained models will not be immediately retrained; however, all future model training will no longer use your deleted data.

8. Security Vulnerability Disclosure

If you discover a security vulnerability in Lianwo Technology, please contact us. We commit to acknowledging receipt of your report within 5 business days and addressing it as soon as possible. High-severity incidents will be communicated to all users via email.