Security & Privacy

Your code stays
on your machine.

Nimbus runs entirely locally. Your Apex source, your test data, your schema - none of it leaves your machine. This page explains exactly what Nimbus does and doesn't do with your data.

What runs locally

Source code

Never leaves your machine

Nimbus reads your .cls, .trigger, and .flow-meta.xml files locally. No source is transmitted anywhere - not to Nimbus servers, not to Salesforce, not to any third party.

Test data

Stays in embedded PostgreSQL

Records inserted during tests live in an embedded PostgreSQL instance on your local disk. The database runs in-process - it has no network port open. Nothing persists between test runs (each test runs in a rolled-back transaction).

Schema

Parsed from your project

Object definitions are read from your sfdx-project.json and .object-meta.xml files. No schema is fetched from a Salesforce org - Nimbus works entirely from source.

Execution

In-process interpreter

The Apex interpreter runs as a subprocess on your machine. No code is sent to a remote execution environment. Results are computed locally and displayed in your terminal or editor.

Telemetry

Nimbus collects minimal, anonymous usage telemetry by default - command invocation counts and error rates. No source code, no file paths, no test names, no record data is ever included.

Telemetry is aggregated and used only to understand which features are used and which error patterns to prioritize. It is not sold, shared, or used for advertising.

You can opt out at any time:

bash
# Disable telemetry permanently
nimbus config set telemetry=false

# Or set in nimbus.properties
# nimbus.telemetry=false

# Or via environment variable
# NIMBUS_TELEMETRY=false nimbus test "*"

# Verify telemetry status
nimbus config get telemetry
Telemetry is automatically disabled when CI=true is set in the environment, which is the case on all major CI platforms (GitHub Actions, GitLab CI, CircleCI, Jenkins).

License validation

Pro and Team licenses are validated via a lightweight request to the Nimbus licensing API on first activation and periodically thereafter. The request contains only your license key and a machine identifier.

The machine identifier is a one-way hash of your hostname - it cannot be reversed to identify your machine and is used only to enforce seat limits. No other data is sent.

Free tier requires no network access at all. Licenses are cached locally and validated offline for up to 7 days, so Nimbus works without internet access for normal use.

bash
# Activate a license
nimbus license activate YOUR_LICENSE_KEY

# What's sent to the licensing API:
# {
#   "key": "NIMBUS-XXXX-XXXX-XXXX",
#   "machine": "sha256:a3f8b2..." ← one-way hash
# }

# What's NOT sent:
# - Your name or email
# - File paths or project names
# - Source code or test output
# - Any Salesforce data

Network access summary

nimbus test "*"NoneFully local
nimbus test:watchNoneFully local
nimbus devlocalhost onlyWebSocket to browser on same machine
nimbus license activatelicensing API onlyKey + machine hash. One-time.
brew upgrade nimbusGitHub releasesBinary download, standard Homebrew
Anonymous telemetryanalytics.testnimbus.devOpt-out: nimbus.telemetry=false

Enterprise and air-gapped environments

Nimbus supports fully air-gapped installation. The binary and embedded database engine can be distributed via internal artifact repositories without internet access.

For Team tier customers, on-premise license validation is available - no outbound network required for license checks. Contact us to discuss your deployment requirements.

bash
# Air-gapped install: copy binary directly
cp nimbus /usr/local/bin/nimbus

# Pre-seed the embedded database engine
# (downloaded once, then cached)
nimbus init --cache-dir /opt/nimbus-cache

# Disable all network access
# nimbus.telemetry=false
# nimbus.update-check=false

Questions about security?

If you have specific security requirements or need documentation for an enterprise procurement review, reach out directly.

Contact usFAQ