Enterprise

Your whole business — it never leaves your building.

Every other enterprise platform promises to keep your data safe in their cloud. Excellent makes the opposite, stronger promise — your operation, your agents, and your audit trail run on hardware you own.

0 bytes
leave your network without your say-so
AES-256
at-rest on single-machine installs — key in your OS keychain, never the database; full-disk encryption for synced fleets
2-of-2
every agent-shipped change is verified by a different party
100%
exportable, offline-capable, and yours

[Why Excellent]

Three reasons your security review ends early.

The local-first architecture that makes procurement, legal, and IT nod instead of flinch.

Data sovereignty

Your operation lives on hardware you control.

  • Every record — people, money, contracts, candidates — sits in a local database on your machines.
  • No tenant, no upload, no vendor cloud holding your business hostage.
  • The breach that takes your competitor's vendor offline can't reach you: there's nothing in a shared cloud to breach.

Governance & audit

Separation of duties, enforced on every agent action.

  • No agent signs off its own work — every change it makes travels todo → review → done, approved by a different agent.
  • A per-entity capability graph — roles, grants, and per-record ACLs — controls who, and which agent, can touch what.
  • A signed, hash-chained audit log makes any tampering evident after the fact.

Deployment & control

Runs where you need it to.

  • A laptop, a NUC in a closet, or your own servers — same install, your infrastructure.
  • Self-hosted sync keeps a team in step through a primary you own, with no third-party relay.
  • Bring your own LLM key — inference is yours to route, meter, and cap.

[Security Posture]

Built for the security review.

The guarantees are structural, not policy — they hold because of where the data is, not because we promise to behave.

A database you own

Your whole business is a local SQLite file on your machine. No tenant, no upload, no lock-in — and it works offline.

Bring your own LLM key

You supply a Claude or OpenAI key. It's sealed on your machine and the agents bill to your account, not ours.

Encrypted at rest

Sensitive state lives in an encrypted vault with the key off-database, in your OS keychain — never written next to the data.

A signed audit chain

Every change is an event in a per-node hash chain with signed checkpoints. The history is tamper-evident by construction.

Open MCP server

Every operation is exposed over an open MCP server, so any agent — including your terminal Claude — can drive the same data.

Exportable, always

It's your data in an open format. Export the whole workspace any time — there's no door we can lock you out of.

[Governance]

No agent signs off its own work.

The ship / verify gate governs every change your agents make — claimed, executed, then approved by a different agent, and written to a signed, hash-chained log you keep.

  • Two-party sign-off is enforced at the MCP gate — an agent physically cannot approve its own change.
  • A capability graph scopes every mutating action to a role, a grant, or a single record.
  • Signed checkpoints over the event chain make tampering evident without trusting a vendor's logs.
events — append-only, hash-chained
01task.claimedshipper·claude-8df093
#482 · onboarding-flow
02task.shippedshipper·claude-8df093
→ review · evidence attached
03task.verifiedverifier·human-2a1c
≠ shipper · approved
04checkpoint.signedhmac-sha256
chain head 0x9f3c…
chain intact — 0 gaps, 0 rewrites

[Deployment]

Runs where you need it to.

Same install, your infrastructure — from one laptop to a fleet behind an air gap.

Single machine

One install, one database.

The whole operation on a laptop or a NUC. Works offline on a plane, backs up like any other file, and answers to no one's uptime page but your own.

Team — self-hosted sync

A primary you run.

Every device keeps a local replica of a primary you own and operate — serial multi-device sync, last-write-wins on concurrent offline edits, no middleman ever holds a copy. The replica is plaintext at rest; protect it with full-disk encryption.

Air-gapped

No egress at all.

Point it at a local model, pull the network cable, and every app still runs. For the environments where “the cloud” is a non-starter and “trust us” isn't an answer.

Standing up the team shape yourself? The self-host guide walks through it — one small box, provisioned from inside the app.

[The Case]

Why local-first is the enterprise-safe default.

Local-first Excellent versus typical enterprise SaaS, across the dimensions procurement evaluates.
DimensionTypical enterprise SaaSExcellent
Where your data livesA vendor's multi-tenant cloudMachines you own and operate
Breach blast radiusEvery tenant on the vendorOne device under your control
Offline / air-gappedNeeds their servers to functionRuns with the cable unplugged
Audit trailLogs the vendor owns and can changeSigned, hash-chained, and local
Who runs the AIThe vendor's models, in their cloudYour keys, your models, your caps
Cost to leaveExport battles and lock-inIt's already a file you own

[What's Included]

The app is free. Enterprise is the hand getting it in.

Excellent is yours to download and keep. An Enterprise agreement adds the licensing, support, and paperwork that a rollout across an org needs.

Org-wide licensing

One agreement across every seat, machine, and department — no per-seat metering to reconcile.

Guided deployment & migration

We help you stand it up on your hardware and bring your data across from the tools you're leaving.

Priority support with an SLA

A response commitment in writing, and a named contact who already knows how your setup is wired.

Custom roles & access policies

Shape the capability graph to your org — which people and which agents can read, write, or approve.

Security-review support

Architecture docs, a filled security questionnaire, and a DPA — the paperwork procurement needs to say yes.

Private LLM routing

Your keys, your models, your caps — route inference to a provider you approve, or a model on your own metal.

Questions procurement asks.

Where does our data actually live?
In a local SQLite database on hardware you control — a laptop, a server, a NUC. Nothing is uploaded to us. There is no Excellent tenant holding a copy of your business.
Can it run fully air-gapped?
Yes. Point it at a model running on your own metal, disconnect the network, and every app — tasks, CRM, hiring, documents — keeps working. The only outbound traffic is the LLM calls you choose to make.
How do you handle roles and access?
A capability graph governs every mutating action down to the entity level — roles, grants, and per-record ACLs, enforced at the same seam for both people and agents. Enterprise engagements include help modeling it to your org chart.
Is there an audit trail for compliance?
Every change is an append-only, per-node hash-chained event, with signed checkpoints over the chain head. The log is tamper-evident and lives on your machine — you hand auditors a file, not a support ticket.
What about SSO and directory sync?
Identity today is derived per device and governed by the capability graph. Directory-based SSO / SCIM for the self-hosted team plane is on the roadmap — tell us your requirements and we'll scope it with you.
How is Enterprise licensed and priced?
The app itself is free to run and yours to keep. Enterprise is a support-and-deployment agreement — org-wide licensing, an SLA, migration help, and security-review support — priced to your size and needs. Talk to us.

Bring your enterprise home.

Tell us about your org, your data-residency requirements, and how you want it deployed. We'll scope a rollout that keeps every byte on your side of the wire.