The runtime is the security boundary. The model is an implementation detail.
Dropstone CLI treats every model output as untrusted text. Whatever the model writes — code, shell commands, URLs to fetch, file edits — does nothing on your machine until you explicitly approve it. In Build mode, every destructive action prompts you with three choices: Allow once, Allow always, or Reject.
This is the security boundary. It is the same control surface that Anthropic, Databricks, NIST AI RMF, and every serious agentic-AI security framework converges on. The industry term is Human-in-the-Loop (HITL); the engineering principle is treat-model-as-untrusted-input.
If a model were to suggest a malicious shell command, file write, or network call, it would appear in your terminal as a proposed action. Nothing executes. You read it, decide, and either approve or reject. There is no path from model output to your filesystem that bypasses you.
Note: Accept-All mode auto-approves tool calls for the current session. It is intentionally opt-in and clearly labeled in amber. Use it only when you have already reviewed the agent's plan.
Every Dropstone chat traverses one of three providers, all US-hosted and selected for their published latency, capacity, and data-handling guarantees:
Provider selection is enforced in code, not configuration — China-hosted endpoints (DeepSeek's native API, Moonshot's native API) are excluded by design and cannot be selected at runtime. Failover between US providers is permitted; falling out of the US-only set is not.
Every upstream call to OpenRouter is sent with data_collection: 'deny'. The request fails closed if any provider in the routing chain would retain the prompt or completion. This is a contractual guarantee at the API boundary, not a promise in marketing copy.
The Dropstone server itself does not persist prompt or completion content. Request logs capture metadata only: model identifier, token counts, latency, cost, status code. Prompt text, attached files, and model responses are never written to disk and never sent to analytics platforms.
Dropstone Fast 1.5, Pro 1.5, and Heavy 1.5 are branded names. The underlying model behind each tier is selected monthly by Blankline Research's open-weight frontier evaluation, and the brand stays stable as the model changes underneath.
The version suffix 1.5 encodes Year 1, Month 5 — May 2026. Each monthly cycle re-evaluates the open-weight frontier on cost-adjusted SWE-bench, agentic tool-use, and vision benchmarks and pins the best fit to each tier.
The underlying model is an implementation detail. The brand is the stable interface. When a better model emerges, the brand follows.
Images attached to any Dropstone tier are processed through Dropstone Vision 1.5, currently built on Gemini 3.5 Flash (84% MMMU-Pro, tied for industry leadership). The caption is then forwarded as text to the user's selected reasoning model.
Captions are keyed by SHA-256 of the image bytes. The same image attached twice returns the cached caption with sub-millisecond latency and zero additional API cost. Cache entries expire within 24 hours and do not persist beyond the server process lifetime.
We cannot mathematically prove that any frontier foundation model is free of embedded behaviors. Goldwasser, Kim, Vaikuntanathan & Zamir (2022) proved that no party can — this applies equally to Claude, GPT-5, Gemini, and every closed-weight model in production today. The limit is cryptographic, not engineering.
We acknowledge this openly. Our security guarantees do not depend on proving the model is clean. They depend on the runtime architecture above: the model cannot affect your machine without your explicit approval, and inference cannot retain your data because we forbid it at the API boundary.
Model origin is a security non-issue when the runtime treats every model as adversarial. We do.
The complete list of third parties that may process customer data on Dropstone's behalf:
This list is the full set. Changes are reflected here within seven business days of any addition or removal.
Dropstone is a thin authenticated proxy — we do not persist customer code, prompts, completions, or attached files. Customer data is processed only by subprocessors that maintain their own current security certifications. The full chain is audited end-to-end through inheritance:
| Subprocessor | Certifications |
|---|---|
| OpenRouter | SOC 2 Type II |
| DeepInfra | SOC 2 Type II, HIPAA-ready |
| Fireworks AI | SOC 2 Type II, HIPAA |
| Together AI | SOC 2 Type II |
| Google AI Studio | SOC 1 / 2 / 3, ISO 27001 / 17 / 18, FedRAMP High, HIPAA, PCI DSS |
| Stripe | PCI DSS Level 1, SOC 1, SOC 2, ISO 27001 |
A Dropstone-level SOC 2 Type I audit is planned for our enterprise GA. We commission it earlier on request — enterprise prospects with procurement requirements can write to [email protected] to schedule.
Inherited compliance is not a substitute for our own audit — it is the floor we operate above. Certifications listed reflect each subprocessor's current published status; verify directly with the provider before relying on them for procurement.
For organizations operating under FedRAMP-adjacent, DoD-procurement, or specific regulated-finance requirements where open-weight model provenance restrictions apply, Dropstone offers an Enterprise tier built on US-trained open-weight models. The runtime architecture is identical; only the underlying model selection differs.
VPC deployment, BYOK encryption, and SOC 2 documentation are available on request.
Contact [email protected].
If you discover a vulnerability or unexpected behavior in Dropstone CLI, the Dropstone server, or any infrastructure listed in Section 07, please report it to [email protected]. We acknowledge all reports within 48 hours.
We do not currently operate a bug bounty program. Coordinated disclosure with named credit is offered for any substantive report.