MyNextBrowserMyNextBrowser

Security Policy

Security at MyNextBrowser

Last Updated: January 11, 2026

At MyNextBrowser, security is not an afterthought—it is the foundation of our architecture. We designed our agentic browser extension to minimize data collection and maximize local processing, ensuring that your browsing habits remain private and secure.

This document outlines the technical and organizational measures we take to protect your data.

1. Security Philosophy: "Local-First"

Our most effective security control is Data Minimization. Unlike traditional cloud-based agents that stream your entire browsing context to a remote server, MyNextBrowser operates primarily on your device.

  • Local Storage: Chat history, authentication tokens, and user preferences are stored in your browser's IndexedDB and Local Storage.
  • Ephemeral Processing: When we do need to process data (e.g., for AI summarization), it is sent to our inference provider and then immediately discarded. We do not retain a shadow copy of your web activity.

2. Infrastructure & Network Security

We do not manage our own physical data centers. Instead, we rely on top-tier cloud providers with industry-leading compliance certifications (SOC 2 Type II, ISO 27001).

  • Encryption in Transit: All data transmitted between your browser and our services is encrypted using TLS 1.2+ (Transport Layer Security). We use strict HSTS (HTTP Strict Transport Security) to prevent downgrade attacks.
  • Encryption at Rest: Any sensitive data that reaches our servers (such as account credentials) is encrypted using AES-256 standards.
  • DDoS Protection: Our API endpoints and static assets are protected by Cloudflare, which mitigates Distributed Denial of Service (DDoS) attacks and ensures high availability.

3. Application Security

  • Minimal Permissions: Our extension follows the "Principle of Least Privilege." We only request sensitive permissions when absolutely necessary for the agentic features you explicitly trigger.
  • Authentication: We use industry-standard OAuth flows for Google Sign-In and secure session management. Passwords are never stored in plain text; they are hashed and salted using robust algorithms (e.g., bcrypt/Argon2).
  • Payment Security: We do not touch your credit card data. All billing is handled by DodoPayments, a PCI-DSS compliant Merchant of Record.

4. Subprocessors

To provide our services, we partner with trusted third-party vendors ("Subprocessors"). We carefully vet each vendor for security compliance.

Core Infrastructure

  • Google Cloud Platform (GCP)Purpose: AI Models (Vertex AI), Hosting, and Backend Infrastructure.Location: Global / USA.
  • Amazon Web Services (AWS)Purpose: Secondary Hosting and Storage.Location: Global / USA.
  • CloudflarePurpose: Content Delivery Network (CDN), DNS, and DDoS Protection.Location: Global.

Business Operations

  • DodoPaymentsPurpose: Merchant of Record (Payment Processing & Tax Handling).Location: Global.
  • ResendPurpose: Transactional Email Delivery (e.g., password resets, welcome emails).Location: USA.
  • TwilioPurpose: SMS/Email Infrastructure (Secondary communication channels).Location: Global.

5. Vulnerability Reporting

We value the contributions of the security research community. If you believe you have found a security vulnerability in MyNextBrowser, please let us know immediately.

  • Contact: [email protected]
  • Policy: Please provide a detailed description of the vulnerability and steps to reproduce it. We pledge to investigate all legitimate reports promptly and will not take legal action against researchers who discover and report security vulnerabilities in good faith.

6. Compliance

Our security practices are designed to support compliance with major data protection frameworks:

  • GDPR (Europe): We support the right to erasure and data portability.
  • CCPA (California): We implement strict data access controls.
  • Google API Services: We adhere to the Google API Services User Data Policy, specifically regarding the "Limited Use" requirements for Restricted Scopes (Gmail).