ScrubAI.
Workspace Portal
Legal Framework
🛡️ ALL SCRUB·AI OPERATIONS RUN 100% LOCALLY IN YOUR CLIENT BROWSER SANDBOX MEMORY.
Last Updated: May 23, 2026

Security Policy

Security by Absence · Client-Side Isolation Protocols

01.Data Minimization: Security by Absence

The ultimate security standard is data minimization: we cannot lose, leak, or compromise data we do not collect. Because ScrubAI runs entirely inside your browser's local sandbox memory, there is no centralized database of user images for malicious actors to breach or intercept.

If a hacker targeted our backend hosting provider, they would find only static, pre-compiled HTML, CSS, and client-side JavaScript—containing absolutely zero user files, media assets, or personal archives.

02.Authentication & Session Integrity (Clerk)

We delegate our complete identity management to Clerk, a leading developer-focused security framework. Clerk maintains state-of-the-art defenses to protect your profile:

Brute-Force Protection

Monitored continuously against login threshold abuses and suspicious endpoint inquiries.

XSS Mitigation

Secure, encrypted, HttpOnly cookies prevent client-side script cross-site hacking tokens access.

CSRF Mitigation

Protected against cross-site request forgery through strict deployment of SameSite cookie tags.

Session Fixation Prevention

Every sign in/out session token is completely regenerated and the old session immediately invalidated.

03.Financial and Checkout Security (Stripe)

Your credit card data is never transmitted, processed, or held on ScrubAI infrastructure. We integrate directly with Stripe (via Clerk Billing) to ensure maximum compliance:

  • ·
    PCI-DSS Level 1 Compliance: Stripe is a certified PCI Level 1 Service Provider—the most stringent security standard in the payment processing industry.
  • ·
    Encrypted Handshakes: Checkout sessions are encrypted in transit via Transport Layer Security (TLS 1.3) directly between your device and Stripe.

04.Content Security Policies (CSP) & Invalidation

We implement a strict Content Security Policy (CSP) at our application’s header layer. This prevents malicious code injections and unauthorized network calls by restricting resource loading to a pre-approved list of domains:

  • ·
    connect-src: Authorized exclusively for first-party assets ('self'), Clerk API endpoints, Stripe's gateway, and our reverse telemetry proxy (/ingest).
  • ·
    img-src: Authorized exclusively for local blobs (blob:), base64 indicators, and Clerk assets (https://img.clerk.com).
  • ·
    worker-src: Standardized to run secure browser web workers locally.

05.Reporting Vulnerabilities

We welcome security feedback. If you discover a potential vulnerability in our code, implementation, or setup, please email us immediately at security@yourdomain.com with reproducible steps.

We promise to review your disclosure within 48 hours and work with you to implement a fix immediately.