Security and compliance overview

It's a top priority at PixieBrix to keep your data safe and compliant with your organization's policies. This page provides an overview of the measures we take and the controls available to you.


The best way to protect data is to avoid accessing or transmitting it in the first place. We only transmit and store data required to provide our services. Data from websites you visit never leaves your browser unless you tell it to.

Our Privacy and Security policy provides complete details on what data is accessed, transmitted, and stored.


Our web application is hosted in the United States, on Salesforce Heroku (Common Runtime). Heroku is built on Amazon Web Services. We also use Amazon S3 for hosting public media uploads (e.g., Marketplace screenshots).

Our Privacy and Security policy provides a complete list of our service providers.

Encryption at rest

Web application data is encrypted at rest with AES-256, block-level encryption.

Encryption in transit

All internal web application traffic and traffic between the browser extension and web application is encrypted with transport layer security (TLS). You can check the encryption status with Qualys SSL Labs.

Backup and disaster recovery

Web application data is automatically backed up and can be rolled back up to four (4) days.

Vulnerability scanning

We run regular API and site vulnerability scans with Intruder. Our software dependencies are automatically scanned for vulnerabilities using GitHub's Dependabot. We use static analysis tools, such as bandit and ESLint to automatically scan our source code for potential vulnerabilities.

Web application monitoring and protection

The Web Application is protected by Sqreen's Web Application Firewall (WAF) and Runtime Application Self-Protection (RASP). Sqreen identifies and blocks the OWASP Top 10 and business logic attacks in real-time.

We additionally use security headers, including content security policy (CSP) headers, to protect users from attacks. You can check our web application's score on

Identity and access management (IAM)

We support Google and Microsoft OAuth2 authentication for authenticating with the web application. We encourage you to enable/enforce two-factor authentication (2FA) for your account/organization.

Enterprise administrators can choose to authenticate users from their email domain, or to limit access to a specific set of users. Additionally, enterprises can use role-based access control (RBAC) to control which bricks users can view, edit, and activate.

Authentication with other services

Private configurations for third-party APIs are stored locally in your browser. In addition to API key and token authentication, we support OAuth2 authentication via the browser's identity API.

Our framework provides fine-grained controls for what API calls are authenticated. See our documentation for more information.

For securely accessing legacy APIs that lack user access controls, we optionally provide an API authentication proxy. The credentials are stored encrypted in our web application and are only accessible to your organization's admins.

Browser extension permissions

Access to your browser data is enforced by your browser's built-in protection mechanisms. Wherever possible, we request permissions only when you enable a feature that requires those permissions. See our Privacy and Security Policy for a detailed list of what permissions the browser extension requests, when, and why.

Our framework provides additional controls for what websites our extension can access and with which services it can authenticate. See our documentation for more information.

Third-party review

We have completed our SOC 2 Type 1 examination with the guidance of third-party audit firm A-LIGN.

Each version of the browser extension published in the Chrome Web Store is reviewed by Google. See Chrome Developers: Frequently Asked Questions for more information on Chrome Web Store review process.

Additionally, we encourage independent security review via our responsible disclosure policy.

Open source

The browser extension source code is open-source and available under the GNU Public License Version 3 (GPLv3) on GitHub so that anyone can independently audit the code.

The browser extension is built using Github Actions. The Chrome Web Store listing includes a link to the build in the description.

Frequently asked questions

Everything you need to know about the product and billing.
Are you SOC-2 or ISO/IEC 20071 certified?
Are you HIPAA compliant?
Are you California Consumer Privacy Act (CCPA) compliant?
Are you EU General Data Protection Regulation (GDPR) compliant?
Are you Children's Online Privacy Protection (COPPA) Rule compliant?
Do you have a bug bounty program?
Still have questions?
Can't find the answer you're looking for? Please chat to our friendly team
Contact Us