Security & Compliance Overview

At PixieBrix, our mission is to give everyone superpowers through the ability to customize their software. It's our highest priority to keep you safe and make it easy for you to comply with your organization's policies.

Security and Compliance is a shared responsibility. This page provides an overview of the measures we take, and the controls we make available to you. See our Privacy and Security Policy for full details.

Privacy icon


The best way to protect data is to avoid accessing or transmitting it in the first place!

We only transmit and store data required to provide our services. Data from websites you visit never leaves your browser unless you tell it to.

Our Privacy and Security Policy provides complete details on what data is accessed, transmitted, and stored.

Hosting icon


Our Web Application is hosted in the United States, on Salesforce Heroku (Common Runtime). Heroku is built on Amazon Web Services. We also use Amazon S3 for hosting public media uploads (e.g., Marketplace screenshots).

Our Privacy and Security Policy provides a complete list of our service providers.

Encryption at rest icon

Encryption at Rest

Web Application data is encrypted at rest with AES-256, block-level encryption.

Encryption in transit icon

Encryption in Transit

All internal Web Application traffic, as well as traffic between the Browser Extension and Web Application is encrypted with Transport Layer Security (TLS). You can check the encryption status with Qualys SSL Labs.

Backup icon

Backup and Disaster Recovery

Web Application data is automatically backed up and can be rolled back up to 4 days.

Vulnerability Scanning icon

Vulnerability Scanning

Our software dependencies are automatically scanned for vulnerabilities using GitHub's Dependabot service. We use static analysis tools, such as bandit and ESLint to automatically scan our source code for potential vulnerabilities.

Firewall icon

Web Application Monitoring and Protection

The Web Application is protected by Sqreen's Web Application Firewall (WAF) and Runtime Application Self-Protection (RASP). Sqreen identifies and blocks the OWASP Top 10 and business logic attacks in real-time.

We additionally use security headers, including Content Security Policy (CSP) headers, to protect users from attacks. You can check our Web Application's score on

Identity and access management icon

Identity and Access Management (IAM)

We support Google OAuth2 authentication for authenticating with the Web Application. We encourage you to enable/enforce Two-Factor Authentication (2FA) for your Google account/organization.

Enterprise administrators can choose to authenticate users from their email domain, or to limit access to a specific set of users. Additionally, enterprises can use role-based access control (RBAC) to control which bricks users can view, edit, and activate.

API authentication icon

Authentication with Other Services

Private configurations for 3rd Party APIs are stored locally in your browser. In addition to API key and token authentication, we support OAuth2 authentication via the browser's identity API.

Our framework provides fine-grained controls for what API calls are authenticated. See our documentation for more information.

For securely accessing legacy APIs that lack user access controls, we optionally provide an API Authentication Proxy. The credentials are stored encrypted in our Web Application, and are only accessible to your organization's admins.

Browser Extension Permissions icon

Browser Extension Permissions

Access to your browser data is enforced by your browser's built-in protection mechanisms. Wherever possible, we request permissions only when you enable a feature that requires those permissions. See our Privacy and Security Policy for a detailed list of what permissions the Browser Extension requests, when, and why.

Our framework provides additional controls for what websites our extension can access, and what services it can authenticate with. See our documentation for more information.

Third-party Review icon

Third Party Review

Each version of the Browser Extension published in the Chrome Web Store is reviewed by Google. See Chrome Developers: Frequently Asked Questions for more information on their review process.

Additionally, we encourage independent security review via our Responsible Disclosure policy.

Open source logo

Open Source

The Browser Extension source code is available open-source under the GNU Public License Version 3 (GPLv3) on GitHub so that anyone can independently audit the code.

The Browser Extension is built using Github Actions. The Chrome Web Store listing includes a link to the build in the description.

Frequently Asked Questions (FAQ)

Click on a question below to expand the response

We have not completed a SOC-2 attestation or ISO/IEC 20071 certification. (SOC-2 is not actually a certification, it's an "attestation" from an auditor that you've adhered to your stated policies over a period of time.)

We work with enterprise customers to meet their compliance obligations. For example, we are able to represent our security practices in enterprise contracts.

Our services are HIPAA-eligible – they can be configured and used in a way that is HIPAA compliant. The most common way is to configure our services to not access pages with Protected Health Information (PHI), or to only transmit PHI directly between the user's browser and a compliant service.

We work with enterprise customers to meet their HIPAA compliance obligations. For example, we are able to execute Business Associate Agreements (BAAs) and represent our security practices.

The California Consumer Privacy Act (CCPA) does not apply to our company, because we don't meet the revenue or customer data thresholds.

However, we do comply with most of the provisions. Our Privacy and Security Policy lists what personal information we collect and how it is used. We never sell your personal information, so there's nothing to opt-out of. To request what information we have about you, or to delete your account and personal information, please email [email protected].

We don't currently claim GDPR compliance, but do comply with most of the requirements.

We created PixieBrix for the exclusive use of adults (18 and older). We don’t knowingly collect or solicit personal information from children. If you are a child under 18, please do not attempt to register for our products or send any personal information to us.

When installing the Web Browser Extension, you can select "Local-only Mode" to use the extension without creating an account/authenticating with the Web Application. In this mode, no personally-identifiable information is transmitted to us. The Browser Extension will only communicate with our service for retrieving Marketplace information and transmitting error telemetry.

Self-hosting of the Web Application and/or API Authentication Proxy is available to enterprise customers.

Managed hosting is also available at an additional cost, and supports alternate regions (e.g., Europe), Heroku Private Spaces, and Heroku Shield.

We do not have a bug bounty program and do not pay monetary rewards for reporting security vulnerabilities. If you discover a vulnerability, please follow our Responsible Disclosure instructions.

Join our newsletter!

Stay up-to-date with product news and productivity tips