End-to-end encrypted. Local-first. Your data stays yours.

Your CRM. Encrypted.
On your desktop.

ShadCRM is a local-first desktop CRM sealed with AES-256-GCM on your machine before a single byte reaches the network. Pipeline, invoicing, meeting recorder, and optional automated lead generation — all running on your hardware.

Get ShadCRMSee how it works
AES-256-GCMEd25519 + X25519Local-First7-day Free Trial

It’s your data, we couldn’t sell it if we tried.

Private pipelines · No data brokers · Built with vibes

How it works

Local-first. Encrypted. Syncable.

Three steps. No cloud database to trust. No server that can be subpoenaed for your plaintext.

01
Install the desktop app

Free Windows installer, macOS and Linux on the way. Ships with local SQLite and a bundled update channel. No account required to start.

02
Encrypt before it leaves

Every record, file, and message is sealed with AES-256-GCM on your machine before a byte reaches the network. Keys never touch our servers.

03
Sync through an end-to-end encrypted relay

Device identities verified via Ed25519. Workspace keys distributed via authenticated X25519. The relay only ever sees ciphertext — it has no ability to decrypt what it forwards.

Features

Every tool your pipeline needs, on one installer.

No twelve separate SaaS logins. No data scattered across ten vendors. One encrypted desktop app, one encrypted database.

Encrypted Sync

Per-workspace AES-256-GCM keys exchanged via authenticated X25519 key agreement. Our relay only stores ciphertext it cannot read.

Sales Pipeline

Contacts, companies, tasks, notes, and deals. Kanban, list, and table views. Auto-convert qualified leads to opportunities.

Meeting RecorderPro+

Capture calls, transcribe locally, and attach transcripts plus action items to the associated deal or contact.

Automated Lead GenerationEnterprise

Automated prospect discovery from public data sources. Ships with a local AI engine that never leaves your machine.

Invoicing & Payments

Line items, tax, products. Wire transfer and cryptocurrency payment addresses built in. Send directly from your Gmail.

Email Outreach

Templates with merge fields. Mass send to mailing lists. Schedule or send immediately through your Gmail account.

Tasks & Projects

Task lists with custom statuses. Kanban, list, and table views. Subtasks, assignees, and due dates.

Team Workspaces

Role-based permissions. Invite by username. Each workspace syncs independently with its own encryption key.

Security

Why our encryption actually matters.

Industry-standard primitives, assembled the way cryptographers actually recommend. No custom cryptography, no hand-rolled key management.

AES-256-GCM

Data at rest and in transit

Authenticated symmetric encryption with per-workspace keys. Message integrity and confidentiality in a single primitive.

Ed25519

Device identity

Every device signs its sync requests with an Ed25519 identity key. Replayed or tampered payloads are rejected on arrival.

X25519

Key exchange

Ephemeral X25519 agreement distributes workspace keys only to authenticated devices. No shared master secret leaves your team.

What the relay actually sees

Visible

  • Opaque ciphertext blobs
  • Device public keys
  • Workspace IDs for routing

Never visible

  • ×Your contacts or deals
  • ×Meeting transcripts
  • ×Workspace symmetric keys

Start your 7-day free trial. No credit card until day 8.

Download the desktop app, pick a plan, and run an encrypted pipeline inside ten minutes. Cancel anytime without losing your local data.

Get ShadCRMRead our story