ClipCatalog logo ClipCatalog
EN

Product Information

Last updated: 2026-05-28

This page is published in accordance with Annex II of Regulation (EU) 2024/2847 (the EU Cyber Resilience Act, “CRA”). It collects the manufacturer and product information that the regulation requires us to make available to users of ClipCatalog. It applies to the Windows desktop application; macOS and Linux are not in scope at the time of writing.

1. Manufacturer and contact details

Manufacturer: PAULUS DIGITAL SOLUTIONS LLC
Postal address: 3833 POWERLINE RD SUITE 201, FORT LAUDERDALE, FL. US 33309
General support email: support@clipcatalogpro.com
Data protection inquiries: privacy@clipcatalogpro.com

EU Authorised Representative: ClipCatalog is manufactured by PAULUS DIGITAL SOLUTIONS LLC, a United States limited liability company. No EU Authorised Representative is currently appointed for this product version under the Art. 69 transitional regime described in section 6 below. Direct contact for any matter concerning this product is via the postal address and email above.

2. Security contact and vulnerability reporting

In line with CRA Art. 13(17), we operate a single point of contact for reports about vulnerabilities in ClipCatalog. Reports are received and triaged by a human, not by an automated system.

Security contact: security@clipcatalogpro.com
Coordinated vulnerability disclosure policy: clipcatalogpro.com/security
Machine-readable contact (RFC 9116): /.well-known/security.txt
Public security advisories: clipcatalogpro.com/security/advisories

Please use the security contact above only for security issues. General product-support questions go to support@clipcatalogpro.com.

3. Product identification

Product name: ClipCatalog
Package identifier: clip_catalog
Platform covered by this document: Microsoft Windows desktop (x86_64), Windows 10 and Windows 11
Current shipping version: 0.19.1 (released 2026-05-12)
Product family this document applies to: the 0.x major-version family of ClipCatalog for Windows
Distribution: Authenticode-signed installer, available from clipcatalogpro.com/download

4. Intended use and security environment

Intended use. ClipCatalog is a desktop application that scans video folders on a single user’s Windows PC and builds a local, searchable library: thumbnails, AI-generated visual tags, transcripts, face groups, and semantic-search vectors. The user finds clips in their own library and hands the original video file off to an editing application (for example via drag-and-drop). No cuts, edits, or modifications are made to user video files.

Intended user. An individual end user. ClipCatalog is licensed per person, but the installer supports both a per-user setup (the default, no administrator rights required) and a per-machine setup for all Windows accounts on the same PC (admin credentials required at install time). When installed per-machine, each Windows account keeps its own encrypted catalog under that account’s profile. ClipCatalog is not designed for server deployments or for unattended automation.

Operating environment.

  • Windows 10 or Windows 11, 64-bit edition.
  • Either a standard Windows user account (default per-user install) or a Windows account that can provide administrator credentials at install time (per-machine install for all users). Running ClipCatalog after installation does not require administrator rights in either mode.
  • Internet connectivity for: license activation, update notification, the public security advisory feed, and (only if you opt in) error reporting and telemetry. The application’s AI processing runs locally and remains available offline.
  • All video analysis, indexing, transcription, and search runs on the local machine. No video content, transcripts, or derived embeddings are sent to our servers or any third party.
  • The cloud backend that ClipCatalog connects to (at *.clipcatalogpro.com) handles licensing, update delivery, the public advisory feed, and optional consent-based error reports only.

Essential security functionalities and properties.

  • Local data confidentiality. The catalog database is encrypted at rest using SQLCipher (AES-256). The encryption key is generated on first launch and stored in Windows secure storage (DPAPI), bound to your Windows user profile on that PC.
  • Authenticated cloud communication. All cloud calls use HTTPS (TLS 1.2 or higher). License tokens are RS256-signed and verified locally against a public key embedded in the application at build time, so a tampered license cannot be accepted by the client.
  • Signed installer. Every release is Authenticode-signed. The certificate is issued to Andreas Paulus as an individual, so that is the publisher name Windows displays in the UAC prompt for PAULUS DIGITAL SOLUTIONS LLC releases. Windows verifies the signature before installing.
  • Local IPC isolation. The bundled AI components communicate with the main application only over 127.0.0.1 with per-process authentication tokens. They do not accept connections from outside the local machine.
  • Consent-gated telemetry. Error reporting and analytics are off by default. You are prompted at first launch and can change the choice at any time in Settings. No video content is ever transmitted.
  • Default-on security updates with easy opt-out. See section 9.
  • Public advisory channel. Security advisories are published at /security/advisories and surfaced inside the application within roughly 24 hours of publication.

5. Known cybersecurity risks and limitations

The list below summarises the known cybersecurity risks and limitations relevant to using ClipCatalog as intended, and to reasonably foreseeable misuse. It is written for a non-specialist audience; the full internal threat model is maintained separately for security review.

  • Co-resident malware on your Windows account. A program running on your machine under the same Windows user as ClipCatalog can read your indexed data, your local logs, and the encryption key while the application is running. ClipCatalog cannot defend against attackers who have already obtained code execution as your user account; keep your operating system patched and avoid running software from untrusted sources.
  • Offline copies of the encrypted database. The catalog file cannot be decrypted by anyone who only obtains the file (for example, from a backup or a discarded drive) because the encryption key is bound to your Windows profile via DPAPI. This protection is not effective against kernel-level attackers or sustained physical access to the powered-on machine.
  • Malicious video files. ClipCatalog parses video files using bundled FFmpeg, FFprobe, ExifTool, whisper.cpp, the ONNX runtime, and the Pillow image library. These components have a track record of vulnerabilities upstream. We monitor the relevant advisory feeds at least weekly and ship security patches without delay; nonetheless, opening a file specifically engineered against a current parser vulnerability could result in code execution at your user privilege level. Treat video files from untrusted sources with the same caution you would apply to any other file type.
  • Update channel. Update integrity relies on your operating system’s trust store plus the Authenticode signature check Windows performs at install time. An attacker who has placed a forged root certificate in your trust store could intercept the update notification, but cannot push an unsigned installer past Windows’ signature check.
  • Manufacturer’s cloud account. In a worst-case scenario where our cloud account is compromised, forged license tokens or forged security advisory entries could be issued. We mitigate this with standard account hygiene (multi-factor authentication, no long-lived credentials); there is no in-application defence against this scenario beyond the signed update path described above.
  • On-disk integrity of bundled AI models. The bundled neural network model files are verified against published hashes at the time we build a release, but they are not re-verified by the application every time it launches. Same-user malware could substitute a model file on disk.
  • Foreseeable misuse: indexing content you are not authorised to process. ClipCatalog will index any folder you point it at. You are responsible for ensuring you have the legal right to process the video material you index, including any privacy-law obligations attaching to recognisable individuals in the footage.

6. Support period

ClipCatalog provides at least 5 years of free updates for each released major version, counted from that major version’s release date. This is our minimum commitment under CRA Art. 13(8); we may, and typically will, continue to ship updates beyond it.

Current version: 0.19.1, released 2026-05-12.
Earliest support-period end date for this version: 2031-05-12.

After the support period ends, the application continues to operate normally on your PC; no “kill switch” is implemented and none is required by the CRA. You will see an informational end-of-support notice inside the application (CRA Art. 13(19)).

Conformity status (Art. 69 transitional regime). We consider each ClipCatalog release placed on the EU market before the CRA’s full applicability date of 11 December 2027 to fall under the transitional regime of Art. 69 of the CRA, and therefore to sit outside the Annex I essential requirements and the conformity-assessment chain (CE marking and EU Declaration of Conformity) unless it is substantially modified on or after that date. The release covered by this document, version 0.19.1 dated 2026-05-12, falls within that window. Future releases placed on the market on or after 11 December 2027 will be subject to the Annex I essential requirements; for those releases we will publish an EU Declaration of Conformity and apply CE marking. The Art. 14 vulnerability and severe-incident reporting obligations (applicable from 11 September 2026) and the Annex I Part II vulnerability handling obligations apply to all releases regardless of transitional status, and we operate them under our published security policy.

7. Update availability commitment (Art. 13(9))

We undertake to keep every released ClipCatalog installer downloadable for at least 10 years after its release date, in line with CRA Art. 13(9). Past installers remain reachable at fixed URLs so users can re-install or roll back as needed.

URL pattern: https://download.clipcatalogpro.com/setup/windows/clipcatalog-X.Y.Z-installer.exe (substitute the version number).

Current installer: https://download.clipcatalogpro.com/setup/windows/clipcatalog-0.19.1-installer.exe — reachable until at least 2036-05-12.

The most recent installer is also available via the in-app update path and from clipcatalogpro.com/download.

8. Initial commissioning and secure use

  1. Download the installer from a trusted source. Use only the official clipcatalogpro.com/download page or the URL pattern in section 7 above. Avoid third-party mirrors.
  2. Run the installer. Windows verifies the Authenticode signature; the publisher shown is Andreas Paulus, who signs as an individual on behalf of the legal manufacturer, PAULUS DIGITAL SOLUTIONS LLC. If no signed-publisher line appears, do not proceed. You can choose between a per-user install (no admin credentials, default) and a per-machine install for all Windows accounts (admin credentials required at this step).
  3. Accept the EULA and Privacy Policy on the clickwrap screens. The full texts are also at clipcatalogpro.com/legal/eula and clipcatalogpro.com/legal/privacy.
  4. Choose your telemetry preference on first launch. Error reporting and analytics are off until you opt in. You can change this later in Settings.
  5. Activate your license, if you have one. Trial use is available without a license, with size limits documented in the EULA.
  6. Run as a standard user. Once installed, ClipCatalog runs under your normal Windows account and does not need administrator privileges — including when it was installed per-machine. Do not start the executable as Administrator unless specifically instructed to by support.
  7. Index folders containing video material you own or are authorised to process. The application reads your files; it does not write to, move, or modify them. Derived data (thumbnails, transcripts, embeddings) is stored under %LOCALAPPDATA%\\ClipCatalog\\.
  8. Keep Windows up to date. ClipCatalog inherits the integrity of your Windows installation. Security features such as DPAPI, the system trust store, and Authenticode verification depend on Windows being current.

Changes that may affect the security of your data. Two categories of change deserve your attention. First, changing the Windows user account that runs ClipCatalog: the SQLCipher key is bound to the original user profile via DPAPI, so the catalog cannot be opened from a different account on the same machine unless the key has been escrowed (see below). Second, copying or backing up the catalog folder to external storage: the encrypted database can be backed up safely, but the DPAPI-bound key cannot be carried with it on its own.

Cloud key escrow (paid licenses). When a paid license is activated, ClipCatalog escrows a copy of the SQLCipher key against your license key on our servers so you can reopen the catalog after a Windows-account or PC migration. Note the trade-off: with escrow active, anyone who obtains both your backed-up catalog file and your license key can call our recovery endpoint to decrypt the catalog. Without escrow, only your original Windows user profile can decrypt the file. Recovery requests are logged on the server side, and the escrowed entry is removed when you request account deletion under section 10.

9. Installing security updates

By default, ClipCatalog checks for updates on launch and roughly every two hours while running. When a new version is available, a notification banner appears. This default-on behaviour is recommended and required for compliance with the CRA’s Annex I §3(k) goal of receiving security fixes without delay.

  • To install an update: click the notification banner, or go to Settings → About → Check for Updates, then run the downloaded installer. Windows verifies the Authenticode signature before installing. The installer replaces the existing version in place; your local catalog and settings are preserved.
  • To opt out of automatic checks: go to Settings → Automatic Update Checks and toggle it off. The manual Check for Updates button remains available, and security-advisory banners continue to surface inside the application.
  • Security-relevant updates are flagged in the release notes at clipcatalogpro.com/changelog. Public security advisories with CVE / GHSA identifiers are published at /security/advisories and a CSAF 2.x machine-readable copy accompanies each advisory.
  • Updates are free of charge for the entire support period of your version (section 6). Customers on the original “lifetime updates” offer (purchases before 16 May 2026) continue to receive updates under their original terms.

10. Secure decommissioning

To remove ClipCatalog and the data it has stored on your PC:

  1. Uninstall the application. Open Windows Settings → Apps → Installed apps, locate ClipCatalog, and choose Uninstall. This removes the application binaries.
  2. Decide whether to delete your indexed library data. During uninstall, a dialog asks whether you also want to delete the ClipCatalog data folder %LOCALAPPDATA%\\ClipCatalog\\. Choose Yes to remove the SQLCipher-encrypted catalog database, the local vector store, the face index, thumbnails, and application logs in one step. Choose No if you plan to re-install or upgrade and want to keep your work. If you skipped this prompt and want to clean up later, delete the folder manually.
  3. Decide whether to delete shared AI models and binaries (per-machine installs only). A second dialog asks whether to delete the shared component folder %PROGRAMDATA%\\ClipCatalog\\. Other Windows accounts on the same PC may still need these files, so choose No if anyone else uses ClipCatalog there.
  4. Remove the database encryption key (optional). The SQLCipher key is stored via Windows DPAPI under your user profile. After deleting the data folder, you may also remove the secure-storage entry named ClipCatalog via the Windows Credential Manager. If you previously escrowed the key (paid licenses), the escrowed copy is removed from our servers when you request account deletion in the next step.
  5. Request deletion of personal data held on our servers. To request deletion of any personal data we hold about you (your email address, license records, consent records, error reports), contact privacy@clipcatalogpro.com. The retention and deletion process is described in our Privacy Policy. Records we are required to keep for accounting, tax, or legal-compliance purposes are retained for the period required by law and are then deleted.

11. References

Manufacturer: PAULUS DIGITAL SOLUTIONS LLC. For general support, use the in-app support channel or support@clipcatalogpro.com.