Trust & Security

Last updated: 3 May 2026 · Version 0.1 · Operated by MeliUX Ltd. Looking to report a security issue? See our disclosure policy.

Why this page exists. AllAddin runs inside Revit, on machines holding billable client work. Architects and engineers are personally liable for that work. Before you install us, you should be able to answer three questions in plain language: what leaves your machine, what protects what stays, and what happens when you uninstall. This page answers those, with sources you can verify yourself.

Signed installerAuthenticode

ISO 27001ISMS drafted

UK GDPRICO registered

Sandboxed exec28 patterns blocked

DPAPI tokensper-user encryption

UK-basedMeliUX Ltd · 12413967

1. What leaves your machine

AllAddin sends the smallest amount of data that lets the AI help you. Two columns: what travels, what doesn't.

Sent to our backend

The natural-language question you typed.
The Revit version, language pack, and active view name.
A small structured snapshot of the active selection (element types and counts, not geometry).
The generated code's execution outcome (success / error string), so we can learn what worked.
Anonymous usage telemetry (request timing, model used).

Stays on your machine

Your model contents and geometry.
Element parameter values, schedules, sheet content.
Family library contents and shared parameters.
Your .rvt / .rfa / .rte files.
Project-level metadata beyond what's listed on the left.

The wire shape is verifiable: every request is a small JSON envelope (backend/app/models.py § GenerateContext) and we publish its schema. If you want to inspect a request before it leaves, set diagnostic_mode = true in %APPDATA%\AllAddin\config.ini and AllAddin will log the full body to a local file before sending.

2. Encryption

In transit. TLS 1.2+ on every connection between AllAddin and our backend. HSTS enforced via the Railway edge plus an application-layer fallback.
Tokens at rest. Your authentication token is encrypted with Windows DPAPI in the user-scope, so only the Windows account that pasted it can decrypt it. Stolen config.ini on a different machine is useless.
Server-side. Database is managed Postgres on Railway with provider-level encryption at rest. Sentry receives no PII (send_default_pii = False).
Anthropic / OpenAI. We use them as sub-processors; their data-processing agreements are linked from that page. We do not opt in to model training on your data.

3. Sandboxed code execution

The AI generates C# code that runs inside Revit's process. Before execution, the script engine rejects code matching any of 28 blocked patterns:

Filesystem. No System.IO, File.*, Directory.*, or path manipulation outside Revit's own document handles.
Network. No HttpClient, WebClient, Socket, or Process.Start for outbound connections.
Process spawn. No Process.Start, Assembly.Load from disk, or shell invocation.
Reflection. No System.Reflection abuse to bypass the above.
Persistence. No registry writes, no service installs, no scheduled tasks.

A blocked script never runs -- it's surfaced back to the chat as a script-engine reject, with the offending pattern highlighted, before Revit ever sees it. The full pattern list is in AllAddin/CSharpScriptEngine.cs if you want to verify.

4. Compliance posture

UK GDPR. MeliUX Ltd is registered with the UK Information Commissioner's Office (ICO registration ZC137214). We are the data controller; processing details are in the privacy policy and the sub-processor list.

ISO 27001:2022. Our Information Security Management System (ISMS) is fully drafted: 51 v0.1 documents covering all 12 ISMS management documents, 16 InfoSec policies, 7 UK GDPR / DPA 2018 artefacts, 10 live-records scaffolds, and a Statement of Applicability mapping all 93 Annex A controls. Certification is not yet in progress -- this is honest drafted-not-certified status. We surface the work because it shapes how we operate today, not because we're claiming a certificate we don't have.

SOC 2. Not yet on roadmap; revisit once ISO 27001 certification is in motion and we have a US-customer pull demanding it.

5. Ongoing security testing

Dynamic application security testing (DAST). OWASP ZAP baseline scan against our staging environment, weekly cron. Findings auto-ingested into our security_findings ledger and triaged.
Static analysis (SAST). Semgrep + Bandit on every push. Patterns covering injection, secrets, dangerous APIs.
Software composition analysis (SCA). Trivy + pip-audit + GitHub Dependabot on every dependency change.
Secret scanning. gitleaks on every commit; pre-commit hooks block secret-shaped strings before they leave a developer machine.
Independent third-party penetration test. Scheduled for Q3 2026.

6. Uninstall guarantee

The MSI uninstaller removes everything AllAddin put on your machine, in four places:

%APPDATA%\AllAddin\ -- config, cache, logs.
%LOCALAPPDATA%\AllAddin\ -- local-machine state.
Revit add-in manifests (%APPDATA%\Autodesk\Revit\Addins\<version>\).
The Authenticode publisher trust entry (only if it was added by us; we don't touch the Windows trust store otherwise).

What we don't leave behind: registry orphans, scheduled tasks, Windows services, telemetry beacons. The uninstaller is the standard Programs and Features entry; no special ceremony required.

If you want to see this in motion before installing: a 60-second screen recording of the full install → use → uninstall cycle lives at /uninstall-demo.

7. What we won't do

We won't train Anthropic's or OpenAI's models on your data. Both providers offer non-training inference modes; we use them.
We won't sell or share your data with advertisers. We are a paid tool, not an ad-supported one. Sub-processors are listed at /sub-processors and the list is contractually bounded.
We won't read your model contents. We can't -- your model contents don't leave your machine. See section 1.
We won't auto-update without your knowledge. AllAddin checks for updates on launch and prompts you; the install step is yours.
We won't survive on dark patterns. Cancellation is a single click in the panel. Uninstall is a standard MSI uninstall. We don't email you "win-back" campaigns.

8. Who we are

AllAddin is built by MeliUX Ltd, a UK limited company registered in England and Wales (Companies House number 12413967), based in southeast London, operated by Rene Pellicer Garcia. The founder co-authored Pearson VUE's Revit professional certification exam (2018) and has been active in the Revit / Dynamo / RevitAPI ecosystem since 2009.

We are venture-unbacked at the time of writing. We do not currently have outside investors with influence over data or product decisions. If that changes, we'll update this section.

What you can verify

Trust signals that are useful only if you can check them yourself:

Our installer is signed; right-click the MSI → Properties → Digital Signatures should show MeliUX Ltd.
Our network egress endpoints are listed at /it-policy for IT teams to allow-list.
Our vulnerability disclosure policy and security.txt are at /security and /.well-known/security.txt.
Our sub-processor list is at /sub-processors.
Our privacy policy with the full retention schedule is at /privacy.

Questions or pushback

If your IT team needs a security memo, security questionnaire, or vendor-risk-assessment response, email trust@alladdin.dev and we'll reply within two business days. We've answered most of the common ones already; we maintain a template that we'll send back filled in for your firm's questionnaire.

If you spot something on this page that doesn't match what AllAddin actually does, please tell us -- that's exactly the kind of feedback that improves this page. trust@alladdin.dev.