Security and Compliance

Our security and compliance controls overview is available on our website's Security page.

For enterprise customers, our sales team can provide the following resources to expedite security review:

• SOC 2 Type 2 report covering security, availability, and confidentiality from A-LIGN

• Independent Penetration Test report from A-LIGN

• Google Cloud Application Security Assessment (CASA) report from TAC Security

• Company policies and controls

PixieBrix uses Drata to continuously monitor our compliance posture.

Use of Generative Artificial Intelligence (Generative AI)

PixieBrix includes a built-in integration with OpenAI for use with mods you create. However, PixieBrix mods can be configured to call any generative AI provider, including Microsoft Azure OpenAI Service, Amazon Bedrock, or on-premise LLMs.

When using the default OpenAI integration:

• OpenAI DOES NOT use your data to train or improve its models

• OpenAI retains data for up to 30 days for abuse investigation

• Traffic is transmitted through the PixieBrix API Gateway, which does not store request data. The API Gateway stores request metadata (e.g., organization, user) for use with Datadog Application Security Management.

For more information, see the OpenAI documentation.

If you do not want traffic transmitted through the PixieBrix API Gateway, you can bring your own OpenAI API key and either:

• Configure the integration with "pushdown" (see Integration Scenarios), or

• Set up your own API Gateway/endpoint for requests

PixieBrix Enterprise customers may also request access to our built-in Microsoft Azure OpenAI Service integration, which offers exemptions from temporary data retention for abuse monitoring. To request access, contact your account manager.

Integration API Call Dataflow Diagrams

See Integration Scenarios for more integration options, e.g., OAuth2 PKCE.

Cloud Team Configuration - API Gateway

Cloud Team Configuration - Pushdown

Frequently Asked Questions

What security certifications do you have?

PixieBrix has completed a SOC-2 Type 2 with A-LIGN covering the following trust criteria:

• Security

• Availability

• Confidentiality

You can find an overview of our controls on our website's Security page.

Has PixieBrix been independently audited?

• Annual Penetration Test: our latest independent penetration test report by A-LIGN is available upon request

• PixieBrix completed the Google Cloud Application Security Assessment (CASA) audited by TAC Security

• The Google Chrome Web Store team reviews the extension prior to publishing in the Chrome Web Store

• Our browser extension is source-available on GitHub

Where is your Data Stored?

PixieBrix servers are managed by Salesforce Heroku and Amazon Web Services in the United States.

PixieBrix does not transmit/store browsing data unless you build mods that transmit that data to us (e.g., for Storing Data with Team Databases).

Data is processed in the United States under the EU-US Data Privacy Framework. See Is PixieBrix GDPR compliant? for more information.

Is PixieBrix GDPR compliant?

Yes, we are GDPR compliant. For our standard Data Processing Agreement (DPA), refer to our Terms and Conditions.

We are able to execute custom Data Processing Agreements (DPA) with enterprise customers to ensure they meet their GDPR and data protection obligations. For more information, contact [email protected] or your Account Executive.

Data is processed in the United States under the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).

To make a Data Subject Access Request (DSAR), contact [email protected]

General Data Protection Regulation (GDPR) – European Representative Pursuant to Article 27 of the General Data Protection Regulation (GDPR), we have appointed European Data Protection Office (EDPO) as our GDPR Representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR:

• by using EDPO’s online request form: https://edpo.com/gdpr-data-request/

• by writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium

UK General Data Protection Regulation (GDPR) - UK Representative Pursuant to Article 27 of the UK GDPR, we have appointed EDPO UK Ltd as our UK GDPR representative in the UK. You can contact EDPO UK regarding matters pertaining to the UK GDPR:

• by writing to EDPO UK at 8 Northumberland Avenue, London WC2N 5BY, United Kingdom

FADP Article 14 Representative Pursuant to Article 14 of the FADP, we have appointed EDPO Switzerland as our Representative in Switzerland. You can contact EDPO Switzerland regarding matters pertaining to the FADP:

• by writing to EDPO Switzerland at Rue de Lausanne 37, 1201 Geneva, Switzerland