# Security and Compliance
Our security and compliance controls overview is available on [our website's Security page](https://www.pixiebrix.com/security).
For enterprise customers, our sales team can provide the following resources to expedite security review:
* SOC 2 Type 2 report covering security, availability, and confidentiality from [A-LIGN](https://www.pixiebrix.com/security)
* Independent Penetration Test report from [A-LIGN](https://www.pixiebrix.com/security)
* Google Cloud Application Security Assessment (CASA) report from [TAC Security](https://tacsecurity.com/)
* Company policies and controls
PixieBrix uses [Drata](https://drata.com/) to continuously monitor our compliance posture.
## Use of Generative Artificial Intelligence (Generative AI)
#### AI Features in PixieBrix Page Editor
The Page Editor provides affordances to improve the Mod Developer productivity and effectiveness. For all features, the feature is invoked by the Mod Developer.
When using AI features in the PixieBrix Page Editor:
* Account Information and Integration Credentials are not transmitted to the API provider
* We DO NOT use your data to train or improve our models
* The LLM vendor DOES NOT use your data to train or improve our models
* The model provider may retain the data for up to 30 days for abuse investigation
| Feature | Data Transmitted | Additional Controls |
| ------------------------- | ------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Mod Generation Copilot | Generates mod definition from description |
The Mod Generation Copilot prompts the developer for approval if access to page content is necessary (e.g., to automatically generate element selectors)
|
| Code Review | Reviews mod definition for best practices | |
| Commit Message Generation | Generates commit message from the mod definition | |
#### Use of AI in User-Defined Mods
PixieBrix includes a built-in integration with OpenAI for use with mods you create. However, PixieBrix mods can be configured to call any generative AI provider, including [Microsoft Azure OpenAI Service](https://azure.microsoft.com/en-us/products/ai-services/openai-service), [Amazon Bedrock](https://aws.amazon.com/bedrock/), or on-premise LLMs.
When using the default OpenAI integration:
* OpenAI **DOES NOT** use your data to train or improve its models
* OpenAI retains data for up to 30 days for abuse investigation
* Traffic is transmitted through the PixieBrix API Gateway, which does not store request data. The API Gateway stores request metadata (e.g., organization, user) for use with [Datadog Application Security Management](https://docs.datadoghq.com/security/application_security/).
For more information, see the [OpenAI documentation](https://platform.openai.com/docs/models/how-we-use-your-data).
If you do not want traffic transmitted through the PixieBrix API Gateway, you can bring your own OpenAI API key and either:
* Configure the integration with "pushdown" (see [Integration Scenarios](/integrations/integration-scenarios.md)), or
* Set up your own API Gateway/endpoint for requests
PixieBrix Enterprise customers may also request access to our built-in [Microsoft Azure OpenAI Service integration](https://azure.microsoft.com/en-us/products/ai-services/openai-service), which [offers exemptions from temporary data retention for abuse monitoring](https://learn.microsoft.com/en-us/legal/cognitive-services/openai/data-privacy#how-can-customers-get-an-exemption-from-abuse-monitoring-and-human-review). To request access, contact your account manager.
## Integration API Call Dataflow Diagrams
See [Integration Scenarios](/integrations/integration-scenarios.md) for more integration options, e.g., OAuth2 PKCE.
#### Cloud Team Configuration - API Gateway
#### Cloud Team Configuration - Pushdown
## Frequently Asked Questions
### What security certifications do you have?
PixieBrix has completed a SOC-2 Type 2 with [A-LIGN](https://www.a-lign.com/) covering the following trust criteria:
* Security
* Availability
* Confidentiality
You can find an [overview of our controls on our website's Security page](https://www.pixiebrix.com/security).
### Has PixieBrix been independently audited?
* Annual Penetration Test: our latest independent penetration test report by [A-LIGN](https://www.a-lign.com/) is available upon request
* PixieBrix completed the [Google Cloud Application Security Assessment (CASA)](https://support.google.com/cloud/answer/13465431?hl=en) audited by [TAC Security](https://tacsecurity.com/)
* The Google Chrome Web Store team reviews the extension prior to publishing in the Chrome Web Store
* Our browser extension is [source-available on GitHub](https://github.com/pixiebrix/pixiebrix-extension)
### Where is your Data Stored?
PixieBrix servers are managed by [Salesforce Heroku](https://www.heroku.com/) and [Amazon Web Services](https://aws.amazon.com/) in the United States.
PixieBrix does not transmit/store browsing data unless you build mods that transmit that data to us (e.g., for [Storing Data with Team Databases](/storing-data-with-team-databases.md)).
Data is processed in the United States under the EU-US Data Privacy Framework. See [#is-pixiebrix-gdpr-compliant](#is-pixiebrix-gdpr-compliant "mention") for more information.
### Is PixieBrix GDPR compliant?
Yes, we are GDPR compliant. For our standard Data Processing Agreement (DPA), refer to our Terms and Conditions.
We are able to execute custom Data Processing Agreements (DPA) with enterprise customers to ensure they meet their GDPR and data protection obligations. For more information, contact or your Account Executive.
Data is processed in the United States under the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).
To make a Data Subject Access Request (DSAR), contact
**General Data Protection Regulation (GDPR) – European Representative**\
Pursuant to Article 27 of the General Data Protection Regulation (GDPR), we have\
appointed European Data Protection Office (EDPO) as our GDPR Representative in the EU. You\
can contact EDPO regarding matters pertaining to the GDPR:
* by using EDPO’s online request form:
* by writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium
**UK General Data Protection Regulation (GDPR) - UK Representative**\
Pursuant to Article 27 of the UK GDPR, we have appointed EDPO UK Ltd as our UK\
GDPR representative in the UK. You can contact EDPO UK regarding matters pertaining to\
the UK GDPR:
* by using EDPO’s online request form: [https://edpo.com/uk-gdpr-data-request/](mailto:undefined)
* by writing to EDPO UK Ltd, Unit 33, Waterside, Schooner Court, 44-48 Wharf Road, London, N1 7UX, United Kingdom
**FADP Article 14 Representative**\
Pursuant to Article 14 of the FADP, we have appointed EDPO Switzerland as our\
Representative in Switzerland. You can contact EDPO Switzerland regarding matters\
pertaining to the FADP:
* by using EDPO Switzerland's online request form: [https://edpo.com/swiss-data-request/](mailto:undefined)
* by writing to EDPO Switzerland at Rue de Lausanne 37, 1201 Geneva, Switzerland
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.pixiebrix.com/enterprise-it-setup/security-and-compliance.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.