Your API keys never leave your phone

The moment we decided to do this differently

When we added AI-drafted WhatsApp messages to Konnect for Business, we faced a choice that most mobile CRM makers don't bother with. We could set up our own OpenAI account, hit their API on your behalf, and charge you a margin on top. That's the standard play. Keeps things simple. Makes recurring revenue predictable.

But I kept thinking about the conversations I have with our users. A mortgage broker in Manchester. A recruitment consultant in Leeds. A real estate agent in London. These are professionals who've built their whole business on relationships and trust. They're not going to upload sensitive data into some vendor's black box without knowing exactly what happens to it.

So we built BYOK instead. You bring your own OpenAI API key. We use it to draft your messages. Your key stays on your phone. Nothing gets shipped to our servers.

How it actually works, technically

When you activate AI features in Konnect for Business, we ask you to paste your OpenAI API key directly into the app on your iPhone. The app encrypts that key locally, using the device's native security layer. Every time you ask the app to draft a message, the request goes directly from your phone to OpenAI's API. No intermediary. No proxy. No MRVL server in between.

Your key is stored in the iPhone's Secure Enclave (on newer models) or Keychain (on older ones). Same place your banking apps store your credentials. Same encryption standard. If someone stole your phone and tried to extract that key, they'd need to unlock the device itself first. And if they could do that, they could access your banking apps anyway.

We never see your key. We never log it. We never cache it on our servers. The only thing that travels through our infrastructure is the text of the message you want drafted, which goes to OpenAI, not to us.

Why this matters more than it sounds

I won't pretend this is complicated technology. It's not. The Secure Enclave and Keychain have existed for years. The real challenge was deciding we cared enough to build it this way when the easier path was sitting right there.

But here's what I've learned: trust isn't a feature you can add later. You either design for it from the beginning, or you're building debt that compounds. Every conversation with a customer about where their data lives, every apology about a breach they read about on LinkedIn, every time someone chooses a competitor because they know their keys are safe - that's the real cost.

Most of our users are solopreneurs or small team leaders. They don't have IT departments. They can't audit vendors or negotiate security clauses. They have to trust the app they're opening every morning to manage their client pipeline. That's not something to take lightly.

What happens when you uninstall the app

Your API key is deleted. Full stop. When you remove Konnect for Business from your phone, the encrypted key stored in the Keychain is removed too. There's no copy sitting in a database somewhere waiting to be "securely deleted" six months later. It's gone immediately.

If you decide to switch CRMs or stop using the AI features, you don't need to rotate your OpenAI API key unless you want to. You don't need to contact us. You don't need to file a data deletion request. The moment the app comes off your phone, you're completely decoupled from our infrastructure.

The conversation that shaped this

A week after launch, we got a message from a network marketing team using Konnect for Business on Pro. They'd been hesitant to enable AI drafting because their recruiter had warned them against pasting API keys into "cloud apps." That warning was right, in general. But because our architecture is different, it didn't apply.

Once they understood that their key never leaves the phone, they switched it on. Within a fortnight they'd moved to Plus and brought on two more team members. It wasn't the feature that converted them. It was knowing where their keys actually were.

That's when it clicked: we hadn't built a workaround to BYOK. We'd built a different kind of trust.