The best way to protect data is to avoid accessing or transmitting it in the first place. We only transmit and store data required to provide our services. Data from websites you visit never leaves your browser unless you tell it to.

Our Privacy and Security policy provides complete details on what data is accessed, transmitted, and stored.

Our web application is hosted in the United States, on Salesforce Heroku (Common Runtime). Heroku is built on Amazon Web Services. We also use Amazon S3 for hosting public media uploads (e.g., Marketplace screenshots).

Our Privacy and Security policy provides a complete list of our service providers.

Web application data is encrypted at rest with AES-256, block-level encryption.

All internal web application traffic and traffic between the browser extension and web application is encrypted with transport layer security (TLS). You can check the encryption status with Qualys SSL Labs.

Web application data is automatically backed up and can be rolled back up to four (4) days.

We run regular API and site vulnerability scans with Intruder. Our software dependencies are automatically scanned for vulnerabilities using GitHub's Dependabot. We use static analysis tools, such as bandit and ESLint to automatically scan our source code for potential vulnerabilities.

The Web Application is protected by Sqreen's Web Application Firewall (WAF) and Runtime Application Self-Protection (RASP). Sqreen identifies and blocks the OWASP Top 10 and business logic attacks in real-time.

We additionally use security headers, including content security policy (CSP) headers, to protect users from attacks. You can check our web application's score on SecurityHeaders.io.

We support Google OAuth2 authentication for authenticating with the web application. We encourage you to enable/enforce two-factor authentication (2FA) for your Google account/organization.

Enterprise administrators can choose to authenticate users from their email domain, or to limit access to a specific set of users. Additionally, enterprises can use role-based access control (RBAC) to control which bricks users can view, edit, and activate.

Private configurations for third-party APIs are stored locally in your browser. In addition to API key and token authentication, we support OAuth2 authentication via the browser's identity API.

Our framework provides fine-grained controls for what API calls are authenticated. See our documentation for more information.

For securely accessing legacy APIs that lack user access controls, we optionally provide an API authentication proxy. The credentials are stored encrypted in our web application and are only accessible to your organization's admins.

Access to your browser data is enforced by your browser's built-in protection mechanisms. Wherever possible, we request permissions only when you enable a feature that requires those permissions. See our Privacy and Security Policy for a detailed list of what permissions the browser extension requests, when, and why.

Our framework provides additional controls for what websites our extension can access and with which services it can authenticate. See our documentation for more information.

The browser extension source code is open-source and available under the GNU Public License Version 3 (GPLv3) on GitHub so that anyone can independently audit the code.

The browser extension is built using Github Actions. The Chrome Web Store listing includes a link to the build in the description.