Our security and compliance controls overview is available on our website's Security page.

For enterprise customers, our sales team can provide the following resources to expedite security review:

• SOC 2 Type 2 report covering security, availability, and confidentiality from A-LIGN

• Independent Penetration Test report from A-LIGN

• Company policies and controls

PixieBrix uses Drata to continuously monitor our compliance posture.

Use of Generative Artificial Intelligence (Generative AI)

PixieBrix includes a built-in integration with OpenAI for use with mods you create. However, PixieBrix mods can be configured to call any generative AI provider, including Microsoft Azure OpenAI Service, Amazon Bedrock, or on-premise LLMs.

When using the default OpenAI integration:

• OpenAI DOES NOT use your data to train or improve its models

• OpenAI retains data for up to 30 days for abuse investigation

• Traffic is transmitted through the PixieBrix API Gateway, which does not store request data. The API Gateway stores request metadata (e.g., organization, user) for use with Datadog Application Security Management.

For more information, see the OpenAI documentation.

If you do not want traffic transmitted through the PixieBrix API Gateway, you can bring your own OpenAI API key and either:

• Configure the integration with "pushdown" (see Integration Scenarios), or

• Set up your own API Gateway/endpoint for requests

PixieBrix Enterprise customers may also request access to our built-in Microsoft Azure OpenAI Service integration, which offers exemptions from temporary data retention for abuse monitoring. To request access, contact your account manager.

Integration API Call Dataflow Diagrams

See Integration Scenarios for more integration options, e.g., OAuth2 PKCE.

Cloud Team Configuration - API Gateway

Cloud Team Configuration - Pushdown

Frequently Asked Questions

What security certifications do you have?

PixieBrix has completed a SOC-2 Type 2 with A-LIGN covering the following trust criteria:

• Security

• Availability

• Confidentiality

You can find an overview of our controls on our website's Security page.

Has PixieBrix been independently audited?

• Annual Penetration Test: our latest independent penetration test report by A-LIGN is available upon request

• PixieBrix completed the Google Cloud Application Security Assessment (CASA)

• The Google Chrome Web Store team reviews the extension prior to publishing in the Chrome Web Store

• Our browser extension is source-available on GitHub

Where is your Data Stored?

PixieBrix servers are managed by Salesforce Heroku and Amazon Web Services in the United States.

PixieBrix does not transmit/store browsing data unless you build mods that transmit that data to us (e.g., for Storing Data with Team Databases)