SECURITY & TRUST
Detailed breakdown of our security posture, container sandboxing, data storage, and API key management.
1. Verified Security Controls
-
Cryptographic Key Hashing: All user API keys are generated as high-entropy cryptographically secure random values (`dsk_live_...`). Plain-text keys are never stored in the database. Instead, lookup utilizes standard SHA-256 hashes, securing credentials against database compromises.
-
Browser Page Isolation: Every scraping request launches a completely fresh browser page context. No target sessions, cookies, localStorage, or caches are persisted between scrape executions, preventing cross-tenant data leaks.
-
Key Safety and Instant Revocation: Rotating an API key immediately revokes the prior key across all nodes globally. If you detect key exposure, rotation invalidates all cached credentials within 1 second.
2. Data Retention & Transmission
We believe in strict data minimization. Our pipelines are designed to parse and package styling, not accumulate content:
- No Content Storage: We do not index or store target page content, assets, or database files. We only extract design tokens and style variables.
- Ephemeral Output Files: Generated ZIP packages and Figma plugins are stored in a secured internal directory. A background pruner automatically and permanently deletes all outputs exactly 1 hour after generation.
- SSL Encryption: All requests to `/api/v1/*` endpoints are strictly encrypted in transit using TLS 1.3.
3. Roadmap Safeguards (Planned)
To further enhance platform safety, the following controls are currently scheduled for development:
-
Planned: Sandboxed Scraper Containers: Migrating from page-level browser isolation to ephemeral, short-lived Docker containers spun up dynamically per deep scrape, isolating compute execution down to the OS kernel level.
-
Planned: IP Whitelisting: Allowing enterprise keys to restrict incoming API requests to specific CIDR IP ranges.
4. Uptime & System Health
We target a 99.9% uptime for our endpoint rendering API. Since Puppeteer pools are resource-heavy, during peak capacity periods the server will return a `503 Service Unavailable` instead of choking. In this state, client scripts should implement exponential backoff as detailed in our Docs.
5. Reporting & Vulnerability Disclosure
If you believe you have discovered a security vulnerability or have questions about our infrastructure isolation model, please report it to our operator contact immediately:
* We acknowledge receipt of all valid reports within 24 hours and aim to resolve critical patches within 48 hours of replication.