Everything runs on the device
All moderation happens locally. Images, video frames and messages are analyzed on the device and are never uploaded, so there is no server that could store or leak user content. This is the core of how Nosmai handles data.
What leaves the device
Only one thing touches the network, and it carries no user content: the license check. On the first launch (and when the cached license expires) the SDK sends a small verify request with your license key, a device identifier, the platform, the SDK version, and your app's package name, bundle id, or domain. No image, frame, or message is ever part of that request.
After a successful check the result is cached, so later launches usually need no network at all.
Encrypted models
The detection models ship inside the SDK as encrypted files (AES-256-GCM). The decryption key is not bundled with the app: it is delivered inside the signed license at runtime, and the models are decrypted only in memory after a valid license check. A raw copy of a model file, taken from the app package or a CDN, is unusable ciphertext on its own.
License integrity
The license is a signed token (RS256). The SDK verifies the signature on the device against a pinned public key, so a fake or tampered response cannot unlock the models, and a key issued for a different app, domain, or platform is rejected.
Honest limits
On-device moderation is private and hard to scrape, but it is not tamper-proof against a determined, licensed attacker:
- To run, a model must be decrypted in memory on a device that holds a valid license, so someone with that access can, with effort, reach it. Encryption stops casual and unlicensed extraction, not a motivated insider.
- Because the check happens client-side, the content author's own app can choose to ignore a verdict.
For stricter guarantees, treat the on-device verdict as a fast first layer and enforce the decisions that matter (for example, whether a post is published) on your server as well. Contact Nosmai if you need per-license model keys so a leak can be traced and revoked.
Best practices
- Use separate test and production license keys, and use the production key only in release builds.
- Keep license keys out of source control and public repositories; treat them as app configuration.
- On web, serve the model files from an origin you control and restrict access to your own domain.
[!NOTE] See Authentication for how license verification, caching and the offline grace period work.