Help Center · Account & cloud
Signing in is optional and purely additive. It adds the enterprise layer on top of local-first Ledger: a shared org vault across your team, SSO, and evidence emission. While signed out, Ledger makes zero network calls.
The free local tier already gives you the editor, search, governance, the roles demo, portals, import/export, and local history. Signing in adds the parts that only make sense across a team and across devices:
The top bar leads with a Sign in button (it shows your account email once you're in) and a ⇄ Vault sync button, so both are first-class rather than buried.
Privacy detail: the sign-in machinery (Clerk) is only loaded the moment you click "Sign in with Clerk." Until then, no third-party script loads and no network request is made — the signed-out app is genuinely zero-network. See Security & privacy.
Once signed in, the cloud panel shows each Pro feature with a live badge: Pro · unlocked or Locked. The badge reflects your organization's entitlements — what your plan includes. If a feature shows Locked, there's an Upgrade to unlock link to the pricing page.
The three entitlement-gated feature groups are:
cloud_sync — Shared org vault (the sync buttons appear when unlocked).pr_review — Roles, approval & audit.msp — Published portals & multi-client isolation.The shared org vault is one company-wide knowledge base in the cloud, keyed to your organization. It's the team counterpart to the local-first browser store and the on-disk Obsidian vault.
With cloud_sync unlocked, the cloud panel shows two buttons:
Because the org vault stores the same Markdown and the same store key (kb-state) the Obsidian plugin uses, the web app and the plugin interoperate against the same org vault. If you're also using on-disk vault sync, the vault-sync panel offers a ☁ Push to org cloud button so a folder sync and a cloud push are one quick sequence.
What never syncs: there are no passwords or secrets in the KB to begin with (credential pages are vault links), so the org vault carries no secret material by construction. Only Markdown content moves.
If your organization uses Sightline (the DosanjhLabs compliance product), Ledger can publish evidence that documentation exists and is being reviewed — useful for controls like "a documented asset inventory exists and is reviewed at least every 90 days."
it_documentation evidence object and confirms with an id.What's in the evidence — and what isn't. The payload contains structural signals only: for each page, its path, title, type, tags, reviewed_on date, and host metadata; plus counts and your company name; and the marker secrets: none-stored. Page bodies are never sent. Sightline gets enough to map your documentation coverage to controls, and nothing more.
msp entitlement adds hard per-client isolation so each client's documentation stays separate. The tenant is always derived server-side from your verified session — a client can't be addressed by setting a header.The cloud module loads separately and best-effort. If it can't load — you're offline, a network policy blocks it, or it isn't deployed in your environment — the app simply stays fully local-first. You'll see a message that the cloud tier is unavailable, and everything local keeps working. The core app never depends on the cloud module.