Security Policy
Security by absence. Client-side isolation. Data we don't have can't leak.
01 · Data minimization
The strongest security guarantee is the data we don't collect. ScrubAI runs entirely in your browser's sandbox, so there is no centralized database of user images for an attacker to breach.
If someone targeted our hosting, they would find static HTML, CSS, and client-side JavaScript — and zero user files, media, or archives.
02 · Authentication & sessions (Clerk)
Identity management is delegated to Clerk. The protections it applies on our behalf:
Brute-force protection
Continuous monitoring for login threshold abuses and suspicious endpoint activity.
XSS mitigation
Encrypted, HttpOnly session cookies prevent client-side scripts from reading auth tokens.
CSRF mitigation
Strict SameSite cookie attributes block cross-site request forgery.
Session rotation
Every sign-in / sign-out rotates the session token; the prior token is immediately invalidated.
03 · Payments (PayPal)
Card or bank credentials are never transmitted to or stored on ScrubAI infrastructure. The Lifetime Pro upgrade is processed entirely by PayPal via the official @paypal/react-paypal-jsSDK and verified server-side on capture. We only see PayPal's order confirmation token.
- PCI-DSS compliant.PayPal is a certified PCI-DSS Service Provider. Cardholder data is entered into PayPal's own surface, never into a ScrubAI form.
- TLS 1.3 in transit. Checkout sessions are encrypted directly between your device and PayPal.
- Server-side verification. Once PayPal confirms the order, our server independently verifies the captured amount and currency before unlocking Pro entitlements.
- One-time authorization. Lifetime Pro is a single payment — no stored billing token, no saved card, no recurring charge.
04 · Content security policy
We apply a strict CSP at the application layer, restricting resource loading to a pre-approved list of domains:
- connect-src — first-party (
'self'), Clerk APIs, PayPal's checkout gateway, and our reverse telemetry proxy (/ingest). - img-src — local blobs (
blob:), base64 data URIs, and Clerk profile images. - worker-src — limited to local web workers.
05 · Reporting vulnerabilities
Found a vulnerability? Email security@scrubai.app with reproducible steps. We review disclosures within 48 hours and ship fixes as fast as possible.