Help Center · Security & privacy
Ledger is built so a breach of Ledger leaks no credentials — because there are none to leak. This page explains the no-secrets posture, the zero-network-when-signed-out guarantee, exactly where your data lives, and how the optional cloud tier and tokens are handled.
Ledger stores zero secret material. It is not a password manager and never tries to be. Instead, credential pages reference an item in your real password manager (Bitwarden, 1Password, Keeper, Vaultwarden, etc.) by URL or ID — for example vault://provider/item-id — so the credential itself stays in the vault built to protect it.
This is a deliberate security stance with a simple payoff: if Ledger (local storage, the org vault, an exported file, or a published portal) were ever exposed, it would contain no passwords, keys, or seeds, because none were ever stored.
People sometimes paste a secret by reflex. To catch that, Ledger scans each page when you save for things that look like secrets — password:, secret:, api_key:, provider keys (sk-…), PEM private-key blocks, and seed-phrase-like strings. If it finds one, it warns you, names what it matched, and asks you to confirm before saving, nudging you toward a vault link instead.
It's a guardrail, not a vault — you can override it for a false positive (see "My secret got flagged") — but the intended action is to remove the secret. The AI scrubber applies the same idea to AI prompts, redacting or blocking likely secrets before any request leaves your browser.
While you're signed out, Ledger makes no non-local network calls. The only network-capable code (the cloud module) loads separately and only does anything when you click "Sign in." Until then, no third-party scripts (including the sign-in provider) are loaded, and your docs never leave your machine. This is verified by the project's test suite, which asserts the entire signed-out flow makes zero network calls.
| Data | Where it's stored | Leaves your machine? |
|---|---|---|
| Your documents (Markdown) | Browser localStorage, on this device | Only if you sign in and sync, or sync to a vault folder, or export. |
| Active page, selected role, sync state | Browser localStorage / IndexedDB | No. |
| AI provider key | Browser localStorage | No — never sent to DosanjhLabs. Used only to call your chosen provider directly. |
| Connected vault folder handle | Browser IndexedDB | No — it's a permission handle, not your files. |
| On-disk Obsidian vault | Your disk (the folder you connected) | It's already on your machine; sync reads/writes those files. |
| Shared org vault (if signed in) | Your org's tenant store on the DosanjhLabs platform | Yes — but it's Markdown only, with no secrets. |
| Obsidian plugin access token | .obsidian/plugins/ledger-enterprise/data.json in your vault | No (sent only as a bearer to authenticate API calls). |
Local storage is per-browser and not a backup. Clearing your browser data, using a different browser/profile, or a private window will not show your docs. Keep your own backups by exporting or by syncing to a vault folder or the cloud. See data loss & recovery.
msp entitlement adds hard per-client isolation.A published portal is a static, read-only HTML file with no editing controls and no embedded credentials (there are none to embed). The Markdown is sanitized when rendered (HTML is escaped), so a portal can't be used to inject scripts. Treat the file like any shared document — it's a point-in-time snapshot of the space you published.
Ledger is a documentation aid. It is not a password manager, not a backup system, and not a compliance program. Keep your secrets in a real vault, keep your own backups, and run your own compliance controls — Ledger documents and governs your knowledge; it doesn't replace those tools.