Nemo 1.1.0 is live for Windows and macOS — Download free →
Security

How Nemo protects your financial data

Last updated: April 7, 2026

Most finance apps make security promises in marketing copy and store every transaction you have ever made on a server you do not control. Nemo's security model is structurally different: the things that matter most never leave your machine in the first place. This page explains the engineering behind that claim.

The five pillars

1. Local-first storage Your transactions, balances, budgets, goals, categorization rules, and AI provider keys all live in a SQLite database on your computer. Nemo's servers never receive them. If you uninstall the app, the data goes with it — because there is no copy anywhere else.
2. DPAPI-encrypted credential vault Sensitive credentials — your Teller mTLS certificate, enrollment tokens, and AI API keys — are stored in a vault encrypted with the Windows Data Protection API (DPAPI), or the macOS Keychain on macOS. DPAPI ties the encryption key to your operating-system user account, so even if an attacker copied the encrypted files to another machine, they could not read them.
3. Mutual-TLS bank connections via Teller Nemo connects to your bank through Teller, a developer-first banking API. Every request is signed with a client certificate that lives in your local vault — both Nemo and the bank verify each other cryptographically before any byte is exchanged. Your banking username and password are never typed into Nemo or stored by us; you authenticate directly with your bank through Teller's secure enrollment flow.
4. Bring-your-own-key AI AI features are powered by an OpenAI, Anthropic, or Google API key that you provide. When Nemo makes an LLM call, the request goes from your machine straight to the provider you chose — Nemo's servers are not in the path. We literally cannot see your prompts. If you prefer, you can point Nemo at a fully offline local model via Ollama or LM Studio and the AI features still work.
5. Zero-knowledge mobile pairing The mobile companion app pairs with the desktop using ECDH (P-256) to derive a shared key, then encrypts your bank credentials with AES-256-GCM. The encrypted blob is uploaded to our cloud so the phone can pull it down — but the decryption key (your nemo-vk-… vault key) lives on your devices, not on our server. We literally cannot decrypt the blob even if we wanted to. Lose the phone? Unpair from the desktop and the phone-side credentials are wiped immediately.

What our servers actually see

To draw the line clearly, here is the complete list of things that touch our infrastructure when you use Nemo:

  • Your email and a bcrypt-hashed password (so you can sign in across devices).
  • Verification codes and password-reset emails delivered through Resend.
  • An opaque ciphertext of your credentials, only if you opt into mobile pairing.
  • Standard request logs with IP and user agent for short-term abuse prevention.

That is it. No transactions. No balances. No prompts. No browsing data.

Code-signing and update integrity

Windows installers are signed with an EV code-signing certificate (Certum), so SmartScreen does not flag them and tampered builds will not match the publisher signature. macOS builds are notarized through Apple's notary service. The auto-updater verifies a Minisign signature on every update manifest before applying it, so an attacker that compromised our CDN still could not push you a malicious build.

Reporting a vulnerability

If you find a security issue in Nemo — the desktop app, the mobile app, the auth service, or this website — please email [email protected]. Include reproduction steps and we will respond within 72 hours. We do not currently run a paid bug bounty program, but we credit responsible disclosures publicly (with your permission).

Things we are honest about

No security model is perfect, and we would rather be specific than smug:

  • If your laptop is compromised at the OS level by malware that runs as your user, that malware can read whatever DPAPI can decrypt. Local-first protects you from cloud breaches, not from a rooted machine.
  • Our auth service is a normal NestJS app on Railway. We rotate keys on schedule and follow standard hardening, but we are not SOC 2 certified — we are a young product and the tradeoff today is moving fast on the parts that matter.
  • Teller is the trust root for bank connections. If Teller has an outage or a security incident, Nemo's connections are affected.

Want to talk about the architecture in more depth? We are happy to. [email protected].