LockMargin

Privacy-First Invoice Software with Military-Grade Encryption

Your data never leaves your machine. Here's how we protect it.

100% Local, Zero Cloud

LockMargin is a desktop application. Your data is stored locally in an encrypted SQLite database on your machine. There is no cloud sync, no remote servers, no third-party data sharing. Ever.

AES-256-GCM Encryption

All sensitive fields (bank accounts, tax IDs, contact information, payment details) are encrypted using AES-256-GCM — the same encryption standard used by banks and government agencies.

How It Works

  • Key Derivation: Your master password is used to derive an encryption key using PBKDF2-HMAC-SHA256 with 100,000 iterations
  • Key Storage: The encryption key is stored in Windows Credential Manager — never in the database or files
  • Salt Storage: A unique salt is stored in the encryption_metadata table (separate from the key)
  • Authenticated Encryption: AES-GCM provides both confidentiality and integrity — tampered data is detected immediately

What We Don't Do

  • ❌ No cloud storage or sync
  • ❌ No telemetry or analytics (unless you opt-in)
  • ❌ No third-party data sharing
  • ❌ No access to your encryption keys
  • ❌ No ability to reset your password (we don't store it)

Security Audits

LockMargin's security architecture was audited by Maya Thompson, an external Security Researcher and IT auditor. The audit covered:

  • Encryption implementation and key management
  • SQLite database security
  • Windows Credential Manager integration
  • Soft delete and data retention policies

Reporting Vulnerabilities

If you discover a security vulnerability in LockMargin, please report it responsibly:

Email: privacy@lockmargin.com

We take all reports seriously and will work with you to understand and resolve the issue. We do not offer bug bounties at this time, but we will credit responsible disclosures (with your permission).

Best Practices for Users

  • Use a strong, unique master password (16+ characters, mixed case, numbers, symbols)
  • Enable Windows BitLocker or FileVault for full-disk encryption
  • Create regular backups (LockMargin has built-in backup tools)
  • Keep LockMargin updated to the latest version
  • Lock your computer when stepping away

Compliance

LockMargin is designed to help you comply with:

  • GDPR: Data stays on your machine, no third-party processors
  • CCPA: You control your data completely
  • ABA Model Rules: Suitable for lawyers handling client data (see our article on ABA compliance)

How AES-256-GCM Encryption Protects Freelancer Data

AES-256-GCM isn't marketing jargon. It's the same encryption standard the NSA uses for top-secret documents. LockMargin encrypts every sensitive field — bank accounts, tax IDs, client contacts — before writing to disk.

If someone steals your laptop, pulls the hard drive, and images the SQLite file? They get garbage. Without your Windows password and LockMargin master password, the data is unreadable.

Windows Credential Manager Integration for Zero-Knowledge Security

LockMargin doesn't store your encryption key. It derives it from your master password using PBKDF2-HMAC-SHA256 with 100,000 iterations — then sends it straight to Windows Credential Manager.

We never see your key. We can't reset your password. We can't decrypt your data. Nobody can — except you.

Contact

For security questions, contact privacy@lockmargin.com