CommitmentorInstall

§ Security

The serious version.

How we protect your data, how to report a problem, and how we respond.

Encryption at rest

AES-256

Encryption in transit

TLS 1.3

Payment processor

Stripe (PCI-DSS L1)

How we store your data

Your reasons, sites, slip logs, and witness contacts live in two places: the local storage of your browser, and an encrypted backup on infrastructure located in the European Union. The backup is encrypted at rest with AES-256 and only readable with a key derived from your account password. We don’t hold a copy.

All traffic between your browser, the extension, and our servers uses TLS 1.3. We don’t serve any content over plain HTTP. HSTS is enabled with a two-year max-age and includes the preload list. The site also sets a strict Content-Security- Policy, a deny-by-default Permissions-Policy, and refuses to be framed (X-Frame-Options: DENY). Violations of these headers are reported to a first-party endpoint at /api/csp-report, where we collect and act on them.

What we don’t store

We don’t log your browsing history. The only sites we record are the ones you’ve told us to intercept — and only because we have to in order to do that job. The extension does not phone home with anything beyond that scope.

We don’t store raw card numbers. Payments are tokenized through Stripe, which is PCI-DSS Level 1 certified and handles the actual sensitive data.

Authentication

Accounts use email + passkey by default. Passwords are accepted but encouraged to be unique. Password hashing is Argon2id with modern parameters. We don’t cap password length at any humanly-typeable number, and we never log passwords or recovery tokens.

Disclosure policy

We welcome reports from security researchers. If you find something:

Email [email protected] with the details. PGP-encrypted reports are welcome — key below. Please don’t share publicly until we’ve had a chance to triage.

Our response targets: we acknowledge within 24 hours, complete triage within 5 business days, and share a fix or mitigation plan within 7 days for critical issues, 30 days for high-severity, and 90 days for moderate. The full disclosure policy lives in SECURITY.md.

We don’t pursue legal action against researchers who act in good faith, do not access user data beyond what’s needed to demonstrate the issue, and give us reasonable time to fix it before disclosure.

PGP key

Fingerprint: 5C6F 9F4B 7D2A 0A11 E938 AB44 2F77 1C83 ABCD EF01
Full key: request via email.

Hall of fame

When the product is bigger, this section will list the researchers who made it safer. For now: we’d be grateful to put your name here first.

Compliance

GDPR & CCPA.You can request access, export, or deletion of your data at any time. Settings → Delete account does this in two clicks. Backend deletion completes within 30 days. For formal requests, email [email protected].

Subprocessors. Stripe (payments, US/EU), Plausible Insights OÜ (analytics, EU), Resend (transactional email, EU). Hosting moves to a self-hosted infrastructure per ADR-0005 (#39). Any change is announced via email and on the changelog.

Incident response

If a breach happens, we notify all affected users within 72 hours of confirmation, in plain English, with the scope, the cause, and what we’re doing about it. No legal-speak press release.

Back to CommitmentorInstall for Chrome