Architecture & Trust
Privacy isn't promised — it's architected.
Architecture: everything in your browser
Detection and masking run entirely in your browser via the extension. No prompt, no sensitive data ever transits through our servers.
Votre navigateur (local)
└─ Extension SafePrompt
├─ [1] Détecte les données sensibles dans le prompt
├─ [2] Les remplace par un faux jeton → [EMAIL_1], [CLE_API_1]
├─ [3] Envoie SEULEMENT le prompt masqué à l'IA
├─ [4] Reçoit la réponse de l'IA (avec les faux jetons)
└─ [5] Restitue vos vraies données dans la réponse
Nos serveurs (UE)
└─ Reçoivent : statistiques anonymes uniquement
(jamais le contenu de vos prompts)- 100% in-browser detection (JS engine in the extension)
- In-browser masking before sending to the LLM
- Local restoration of the response
- Only usage metadata (anonymous statistics) reaches our servers
Data flows
What is sent to our servers
- Anonymized statistical events: detection type, marker count, timestamp
- Session metadata (plan, language, extension version)
- No prompt content, ever
What NEVER leaves your browser
- The content of your prompts
- Your API keys and secrets
- Your personal data (emails, names, addresses)
- The context of LLM conversations
- Your masked data
Compliance & Infrastructure
- EU-hosted data: Supabase Frankfurt/Amsterdam, Vercel EU, Stripe Dublin
- 7-day backups (point-in-time recovery)
- Mandatory two-factor authentication for founder access
- Audit logs available (Business plan)
- GDPR: EU hosting, 12-month retention, exercisable rights
Monthly canary leak test
Every month, an automated test injects a unique token into a prompt on the 6 supported LLM platforms, then queries our servers (Supabase, Sentry, Resend, Edge Function logs) to verify no trace of the token leaked. This is the structural enforcement of our core promise: zero prompt content ever leaves your browser.
Canary monitoring starts at V1.0 launch — results will appear here from the first monthly run.
Subprocessors
All our subprocessors are hosted in the European Union and GDPR compliant.
False positive reporting — explicitly consented flow
SafePrompt lets you report false positives (a business email masked that should not have been, for example) to improve the public regexes. This flow is isolated from the automatic telemetry stream: every report requires your explicit consent, never reuses the original payload, and is stored in a dedicated table separate from aggregated events.
- Per-report consent (FR63): every report requires a distinct checkbox — you explicitly confirm on each submission. No report is ever sent without this validation.
- Redactable context: the context attached to the report is editable (50 characters max) — you keep control over what is transmitted, including fully removing the context if you prefer.
- Isolated Supabase table: reports are stored in a dedicated `false_positive_reports` table with strict RLS — distinct from the aggregated events table (CONSTRAINT-006 automatic telemetry preserved).
- SHA256 consent signature: every report carries a canonical signature computed locally (SHA256 of payload + timestamp + tenant_id) — cryptographic proof of consent at a given point in time, verified server-side in the Edge Function before insertion.
Security roadmap
- V1 (current)
OWASP Top 10
Coverage of the OWASP Top 10 application security risks, baseline penetration tests.
- V2
SOC 2 Type I
SOC 2 Type I compliance audit planned. Complete audit log, enhanced access control.
- V3
ISO 27001
ISO 27001 certification planned for Business plan customers from V3.
Hébergement & infrastructure
Data Processing Agreement (DPA)
A standard data processing agreement template is available for Business plan customers. Contact us to obtain it.
Request agreementDirect download available in V2