Security

The product is
the security story.

We didn't bolt security on after building the app — we built the app around the security story. There is no database to leak, no cookie store to compromise, and no logging tier that touches your pixels. This page documents that, end to end, with enough specificity that your security team can actually evaluate it.

Last updated May 2026·Read the source on GitHub
§01

Data flow, end to end

A screenshot follows exactly this path. There are no other paths.

  1. 01
    Browser

    You drag a file in. We base64-encode it client-side and hold it in React state. No upload to our servers happens until you press Run.

  2. 02
    TLS to /api/analyze

    Five parallel HTTPS POSTs (one per reading), each carrying the data URL plus persona/question. TLS 1.3 enforced by Vercel's edge.

  3. 03
    Server memory

    Our serverless function validates the payload (zod), builds the system + user message, and forwards it to Vercel AI Gateway. The data URL is never written to disk, never persisted to a queue, never copied to a log.

  4. 04
    AI Gateway

    disallowPromptTraining: true is set on every request. The gateway routes to a provider with a no-training agreement; if no compliant provider is available, the request fails with HTTP 400 instead of falling through.

  5. 05
    Provider

    Generates the response. Per their commercial terms, prompts are not used for training. Many providers also commit to short-term-only retention (typically 30 days for safety review).

  6. 06
    Stream back

    Tokens stream back through the gateway, through our function, through the browser, into the React UI. Nothing intermediate is captured. When the request finishes, server memory is released.

§02

Provider no-training matrix

Every model in our panel is gated to a provider with a no-training agreement enforced by Vercel AI Gateway. If a provider is dropped from the agreement, our request fails rather than fall through.

ProviderModels we useNo prompt trainingPolicy
OpenAIgpt-5.2Yes — via Vercel AI Gateway no-training agreement.Read
Anthropicclaude-sonnet-4.6, claude-haiku-4.5 (consensus)Yes — Commercial Terms.Read
Google (Vertex AI)gemini-3-pro-previewYes — Vertex AI ZDR-compatible.Read
xAIgrok-4.20-non-reasoningYes — Enterprise Terms of Service.Read
Metallama-4-maverickYes — via Together / Fireworks no-training agreements.Read
§03

Network

  • TLS 1.3 only.HTTP traffic is redirected to HTTPS at Vercel's edge.
  • HSTS is set on the apex domain.
  • No third-party scripts. The page loads a small set of self-hosted assets and Google Fonts (CSS-only, served vianext/font). No tracking script ever runs.
  • API responses use Cache-Control: no-store, no-cache, must-revalidate so no intermediate caches retain content.
§04

Application

  • No database. No Postgres, no Redis, no S3 bucket. The serverless function runtime is stateless.
  • Strict input validation. Every request body is parsed with zod; oversize or unsupported MIME types are rejected before any model call.
  • Secrets management. AI Gateway credentials are auto-discovered via Vercel OIDC in production. No long-lived API key is checked into the repo or bundled with client code.
  • Open CSP-friendly architecture. Because we load no third-party scripts, the threat surface for XSS is small.
  • Dependency hygiene. A small dependency tree kept current with Renovate-style upgrades; all production dependencies pinned in package-lock.json.
§05

People & access

Access to deployment configuration and the AI Gateway dashboard is restricted to the founder's account, secured with a hardware security key (FIDO2). As the team grows we'll move to single-sign-on with mandatory MFA and document the role separations here.

§06

Incident response

In the event of a confirmed security incident, we will:

  1. 01Contain the issue (rotate keys, revoke tokens, take affected routes offline if needed).
  2. 02Notify affected parties within 72 hours of confirmation (the GDPR threshold), even if regulators don't require it for our case.
  3. 03Publish a post-mortem on this page with timeline, root cause, and the fix. We will not paper over an incident.
§07

Compliance roadmap

We're not currently SOC 2 Type II certified, ISO 27001 certified, or HIPAA-compliant — and we'd rather tell you that plainly than pretend otherwise. Our roadmap, in order:

  • Independent third-party penetration test, scoped to the data flow above (target: first paying enterprise customer).
  • SOC 2 Type II — pursued if and when an enterprise contract requires it. We won't spend the budget speculatively.
  • Public source release, so any security team can read the routes and validate the claims line by line.
§08

Disclosure

Found a vulnerability? Please email security@uxrbuddy.com before sharing publicly. We'll acknowledge within 48 hours, investigate, and credit you in the post-mortem if you'd like.