Most "private" software asks you to trust a company. Searxly is built so there's almost nothing to trust in the first place — the engine runs on your Mac, your keys never leave it, and the AI defaults to on-device. This is the full, honest breakdown, feature by feature.
The whole design hinges on a single boundary: your machine. The sensitive things — your queries, your keys, your AI prompts — live inside it. Only a few, well-defined requests ever cross out, and you can see every one of them.
Sandboxed app · Hardened Runtime · no accounts · no telemetry
Every outbound action is shown, logged, and yours to refuse.
Each piece is engineered to remove a reason to trust us. Open any one for the mechanism — diagrams, specs, and the threats it's built to stop.
A real SearXNG instance on your Mac. Queries sent by POST, bound to localhost, never logged — there's no server in the middle.
Read the flow →BIP-39 seed, secp256k1 signing, AES-GCM encryption under a PIN bound to the Secure Enclave. We can never move your funds.
See the key model →A five-layer shield against prompt injection when the AI reads a web page. Open-source, defense-in-depth, honestly framed.
See the five layers →The app runs sandboxed under the Hardened Runtime. Privileged work is split into an XPC helper — least privilege by design.
See the boundary →On-device by default, opt-in private cloud, no training on your chats. A master kill-switch, an activity log, and Bulwark on every page it reads.
See the data flow →CryptoKit encryption at rest, a local password vault, data-protection Keychain, and a panic-wipe that clears it all instantly.
See what's stored →This static site ships no trackers, locks down a strict CSP, and proves waitlist eligibility with a read-only, fund-safe signature.
See the headers →Searxly's source is published for review. Don't take our word for any of this — the architecture is open to inspection.
Open on GitHub →The strongest privacy claim is one you don't have to believe. The search engine runs on hardware you own; on-device AI can be checked with a network monitor; the source is published. We'd rather show you than ask you to take our word.
No single control is treated as a silver bullet. Prompt injection gets five layers; the wallet seed gets a slow KDF, AES-GCM, the Secure Enclave and a lockout. If one layer fails, the next is still standing.
The app is sandboxed and the privileged work is isolated behind an XPC helper, so even a compromised web page is fenced in. Components get exactly the access they need and nothing more.
Security isn't marketing. Where a guarantee has an edge — your IP to a search engine, prompt injection as an unsolved field, a feature still pending review — we say so plainly instead of papering over it.
If you believe you've found a vulnerability, please report it privately through an official channel before disclosing it publicly, and give us a reasonable window to fix it. Security researchers acting in good faith are welcome here.
Official channels only · Please don't test against other people's machines or funds