This page is for technical evaluators: CTOs, security leads, and IT decision-makers who want to understand the architecture before committing. We'll be direct about what we can and cannot see.
NextAgent has a clean separation between the control plane (what we run), the execution plane (what runs on your hardware), and the inference plane (what handles model calls). Each plane has a narrow, well-defined role. None of them overlap.
The privacy guarantee follows from this structure, not from policy. We cannot decrypt your conversations because we never receive them. We cannot access your data because it doesn't transit our systems.
Manages identity: user accounts, org membership, roles, agent assignments. Handles routing — telling your machine which agent to run when a user sends a message. Stores no conversation content, no agent outputs, no files.
A small host-agent daemon runs on a machine you own and control. It receives spawn commands from the control plane, runs Claude Code in a scoped workspace, and streams output back. All conversation data, agent memory, and file access happen here.
Model calls go directly from your machine to inference providers with zero-data-retention agreements: Fireworks, OpenRouter (ZDR routes), or your own Anthropic subscription. Prompts do not pass through NextAgent's servers.
Trace a single message from the browser to a model response. At no point does message content reach NextAgent's servers.
User sends a message in the NextAgent chat interface. The browser sends the message text to the NextAgent control plane.
Control plane issues a spawn command to the host-agent on your machine via an outbound HTTPS reverse channel. The command includes the message and the agent's configuration. No logging of message content occurs on our side.
Host-agent spawns Claude Code on your hardware in the agent's configured working directory. Claude Code runs as an unprivileged service account scoped to that workspace.
Claude Code calls the inference provider directly — Fireworks, OpenRouter, or Anthropic — from your machine. The prompt never reaches NextAgent's network. The inference provider receives only what Claude Code sends, under their ZDR terms.
Response streams back through the host-agent to the control plane, which relays the token stream to the browser. The control plane sees opaque SSE bytes — it does not parse or store message content.
Conversation is persisted locally on your machine by the host-agent. The conversation record does not leave your hardware except as part of your own encrypted org backup.
This is what we can honestly say about each threat scenario. We've structured the system so the worst-case breach of our infrastructure is as narrow as possible.
| Scenario | What the attacker gets |
|---|---|
| NextAgent control plane is breached | A list of email addresses and org membership data. No conversation content. No agent outputs. No files. We hold no keys that would decrypt anything on your machine. |
| NextAgent employee goes rogue | Same as above: identity metadata only. An employee with full database access cannot read your conversations because we don't have them. |
| Inference provider is breached | The content of prompts and responses processed under their ZDR agreement. This is a risk inherent to using any cloud inference provider — mitigated but not eliminated by ZDR terms. Your org's identity is not linked to your inference activity. |
| Your machine is compromised | Everything on it — this is the execution plane and holds your data by design. Standard endpoint security practices apply. The host-agent daemon is not a privileged process and does not expand the attack surface meaningfully beyond what Claude Code itself would expose. |
| NextAgent goes out of business | No data loss. Your data is on your machine. The host-agent source would be released. The NAEP protocol is documented so organizations can self-host the control plane. |
When you provision your first machine, NextAgent generates an org backup key. That key is displayed once, in the browser, and never transmitted to or stored by NextAgent. You print it, screenshot it, and store it yourself.
Backups are encrypted with this key before leaving your machine. They're stored in a location you configure (your own cloud bucket, an external drive — your choice). NextAgent cannot read them.
If your machine fails, you provision a new one and restore from your backup using your key. We have no role in this process and cannot assist with it. That's by design: recovery that depends on a third party is a dependency you don't want.
The host-agent is a small Python daemon installed at ~/.nextagent/ on the provisioned machine. It has three responsibilities and no others.
It receives commands from the NextAgent control plane over an outbound HTTPS channel — no inbound ports, no firewall changes required. It spawns Claude Code as an unprivileged service account in the configured working directory. It streams output back to the control plane as opaque SSE events.
The host-agent does not read files outside the configured workspace, does not have access to system credentials, and does not execute arbitrary code outside of Claude Code subprocesses. The source is auditable. Organizations can and should review it before deploying.
One machine, five users, full capabilities. Everything you need to evaluate whether this is the right fit.