Security & Compliance Overview
At PixieBrix, our mission is to give everyone superpowers through the ability to customize their software. It's our highest priority to keep you safe and make it easy for you to comply with your organization's policies.
Security and Compliance is a shared responsibility. This page provides an overview of the measures we take, and the controls we make available to you. See our Privacy and Security Policy for full details.
The best way to protect data is to avoid accessing or transmitting it in the first place!
We only transmit and store data required to provide our services. Data from websites you visit never leaves your browser unless you tell it to.
Our Privacy and Security Policy provides complete details on what data is accessed, transmitted, and stored.
Our Web Application is hosted in the United States, on Salesforce Heroku (Common Runtime). Heroku is built on Amazon Web Services. We also use Amazon S3 for hosting public media uploads (e.g., Marketplace screenshots).
Our Privacy and Security Policy provides a complete list of our service providers.
Encryption at Rest
Web Application data is encrypted at rest with AES-256, block-level encryption.
Encryption in Transit
All internal Web Application traffic, as well as traffic between the Browser Extension and Web Application is encrypted with Transport Layer Security (TLS). You can check the encryption status with Qualys SSL Labs.
Backup and Disaster Recovery
Web Application data is automatically backed up and can be rolled back up to 4 days.
Our software dependencies are automatically scanned for vulnerabilities using GitHub's Dependabot service. We use static analysis tools, such as bandit and ESLint to automatically scan our source code for potential vulnerabilities.
Web Application Monitoring and Protection
The Web Application is protected by Sqreen's Web Application Firewall (WAF) and Runtime Application Self-Protection (RASP). Sqreen identifies and blocks the OWASP Top 10 and business logic attacks in real-time.
We additionally use security headers, including Content Security Policy (CSP) headers, to protect users from attacks. You can check our Web Application's score on SecurityHeaders.io.
Identity and Access Management (IAM)
We support Google OAuth2 authentication for authenticating with the Web Application. We encourage you to enable/enforce Two-Factor Authentication (2FA) for your Google account/organization.
Enterprise administrators can choose to authenticate users from their email domain, or to limit access to a specific set of users. Additionally, enterprises can use role-based access control (RBAC) to control which bricks users can view, edit, and activate.
Authentication with Other Services
Private configurations for 3rd Party APIs are stored locally in your browser. In addition to API key and token authentication, we support OAuth2 authentication via the browser's identity API.
Our framework provides fine-grained controls for what API calls are authenticated. See our documentation for more information.
For securely accessing legacy APIs that lack user access controls, we optionally provide an API Authentication Proxy. The credentials are stored encrypted in our Web Application, and are only accessible to your organization's admins.
Browser Extension Permissions
Access to your browser data is enforced by your browser's built-in protection mechanisms. Wherever possible, we request permissions only when you enable a feature that requires those permissions. See our Privacy and Security Policy for a detailed list of what permissions the Browser Extension requests, when, and why.
Our framework provides additional controls for what websites our extension can access, and what services it can authenticate with. See our documentation for more information.
Third Party Review
Each version of the Browser Extension published in the Chrome Web Store is reviewed by Google. See Chrome Developers: Frequently Asked Questions for more information on their review process.
Additionally, we encourage independent security review via our Responsible Disclosure policy.
The Browser Extension source code is available open-source under the GNU Public License Version 3 (GPLv3) on GitHub so that anyone can independently audit the code.
The Browser Extension is built using Github Actions. The Chrome Web Store listing includes a link to the build in the description.
Frequently Asked Questions (FAQ)
Click on a question below to expand the response
We have not completed a SOC-2 attestation or ISO/IEC 20071 certification. (SOC-2 is not actually a certification, it's an "attestation" from an auditor that you've adhered to your stated policies over a period of time.)
We work with enterprise customers to meet their compliance obligations. For example, we are able to represent our security practices in enterprise contracts.
Our services are HIPAA-eligible – they can be configured and used in a way that is HIPAA compliant. The most common way is to configure our services to not access pages with Protected Health Information (PHI), or to only transmit PHI directly between the user's browser and a compliant service.
We work with enterprise customers to meet their HIPAA compliance obligations. For example, we are able to execute Business Associate Agreements (BAAs) and represent our security practices.
The California Consumer Privacy Act (CCPA) does not apply to our company, because we don't meet the revenue or customer data thresholds.
However, we do comply with most of the provisions. Our Privacy and Security Policy lists what personal information we collect and how it is used. We never sell your personal information, so there's nothing to opt-out of. To request what information we have about you, or to delete your account and personal information, please email [email protected].
We don't currently claim GDPR compliance, but do comply with most of the requirements.
We created PixieBrix for the exclusive use of adults (18 and older). We don’t knowingly collect or solicit personal information from children. If you are a child under 18, please do not attempt to register for our products or send any personal information to us.
When installing the Web Browser Extension, you can select "Local-only Mode" to use the extension without creating an account/authenticating with the Web Application. In this mode, no personally-identifiable information is transmitted to us. The Browser Extension will only communicate with our service for retrieving Marketplace information and transmitting error telemetry.
Join our newsletter!
Stay up-to-date with product news and productivity tips