How we keep your data safe.

• Local-first. Anything that can be done on your device should be done on your device.
• Minimum surface. Every Chrome permission we request is one we can justify to a curious user.
• Encrypted by default. Anything that crosses the network is encrypted in transit; anything we sync is encrypted end-to-end.
• Auditable. Core logic for several extensions is MIT-licensed and published on GitHub. Builds are reproducible.
• No silent telemetry. Diagnostics are opt-in, anonymous, and contain no page or URL data.

Each Chromfy extension is built on Manifest v3 with a small service worker, a side panel, and content scripts that activate only on tabs you authorise. We do not run remote code; every script that executes ships inside the signed extension bundle.

Where an extension uses cloud features, they're isolated behind a thin API that doesn't see plaintext user content. We can rebuild any version we've ever shipped from source and verify the bytes match the ones on the Chrome Web Store.

• In transit: TLS 1.2+ everywhere. HSTS is enforced on chromfy.com.
• At rest: AES-256 for stored blobs; KMS-managed keys on our cloud provider.
• End-to-end sync: when you turn on sync, settings are encrypted on your device with a key derived from a passphrase you control. Our servers see only ciphertext.
• API keys you supply (for example, OpenAI or Anthropic) are encrypted locally before being written to Chrome storage.

We ask for the smallest possible permission scope. Each extension lists its permissions on its product page with a one-sentence reason for each. Where Chrome allows it, we prefer activeTab over broad host permissions, and we never request <all_urls> unless a feature genuinely requires it.

• Hosting: SOC 2 Type II compliant cloud providers in the EU and US. Geographic routing is available for enterprise plans.
• Isolation: services run in private networks; admin access requires hardware security keys and is fully audit-logged.
• Backups: encrypted daily backups with a 30-day retention window and quarterly restore drills.
• Monitoring: automated anomaly detection on auth endpoints, build pipelines, and dependency updates.

Every engineer with production access uses hardware-backed authentication and follows a least-privilege model. Code changes are peer-reviewed and go through CI with static analysis and dependency scanning. We patch high-severity vulnerabilities in dependencies within 7 days of disclosure, and critical ones within 24 hours.

We welcome security research. If you believe you've found a vulnerability:

• Email security@chromfy.com with a clear write-up and reproduction steps.
• Give us a reasonable window to respond before any public disclosure — typically 90 days.
• Avoid actions that could harm users (no data exfiltration, no denial-of-service, no social engineering).

In return, we'll acknowledge your report within 2 business days, keep you posted as we investigate, and credit you in our hall of fame if you'd like. Eligible reports may also receive a thank-you reward.

Security questions, compliance documentation, or bug reports: security@chromfy.com. Our PGP key is available on request.