DESIGNSKILL AGENT
02 // VERIFIED PLATFORM CONTROLS

SECURITY & TRUST

Detailed breakdown of our security posture, container sandboxing, data storage, and API key management.

1. Verified Security Controls

  • Cryptographic Key Hashing: All user API keys are generated as high-entropy cryptographically secure random values (`dsk_live_...`). Plain-text keys are never stored in the database. Instead, lookup utilizes standard SHA-256 hashes, securing credentials against database compromises.
  • Browser Page Isolation: Every scraping request launches a completely fresh browser page context. No target sessions, cookies, localStorage, or caches are persisted between scrape executions, preventing cross-tenant data leaks.
  • Key Safety and Instant Revocation: Rotating an API key immediately revokes the prior key across all nodes globally. If you detect key exposure, rotation invalidates all cached credentials within 1 second.

2. Data Retention & Transmission

We believe in strict data minimization. Our pipelines are designed to parse and package styling, not accumulate content:

  • No Content Storage: We do not index or store target page content, assets, or database files. We only extract design tokens and style variables.
  • Ephemeral Output Files: Generated ZIP packages and Figma plugins are stored in a secured internal directory. A background pruner automatically and permanently deletes all outputs exactly 1 hour after generation.
  • SSL Encryption: All requests to `/api/v1/*` endpoints are strictly encrypted in transit using TLS 1.3.

3. Roadmap Safeguards (Planned)

To further enhance platform safety, the following controls are currently scheduled for development:

  • Planned: Sandboxed Scraper Containers: Migrating from page-level browser isolation to ephemeral, short-lived Docker containers spun up dynamically per deep scrape, isolating compute execution down to the OS kernel level.
  • Planned: IP Whitelisting: Allowing enterprise keys to restrict incoming API requests to specific CIDR IP ranges.

4. Uptime & System Health

We target a 99.9% uptime for our endpoint rendering API. Since Puppeteer pools are resource-heavy, during peak capacity periods the server will return a `503 Service Unavailable` instead of choking. In this state, client scripts should implement exponential backoff as detailed in our Docs.

5. Reporting & Vulnerability Disclosure

If you believe you have discovered a security vulnerability or have questions about our infrastructure isolation model, please report it to our operator contact immediately:

Security Email: chowkar.tester@gmail.com

* We acknowledge receipt of all valid reports within 24 hours and aim to resolve critical patches within 48 hours of replication.