Security model
This page is the source of truth for security review: browser-path visibility, extension permissions, proxy credential handling, retention and the boundary between browser proxy and Layer-7 private app access.
On the browser-proxy path, BusinessProxy does not decrypt HTTPS page content. Private App Access, if enabled, is a separate Layer-7 reverse-proxy path with different visibility.
Data table
| Data type | Why | Retention | Shared with |
|---|---|---|---|
| Account email | Account, verification, billing and support. | While account is active, then according to account deletion/legal retention process. | Auth/email/payment providers as needed. |
| Device ID and public key | Bind proxy-session requests to a registered device key. | While account/workspace device record is active, unless removed. | Infrastructure providers. |
| Proxy session ID | Connect, heartbeat, revoke and session history. | While account is active today; not deleted by the 30-day usage cleanup unless a deletion policy is added. | Infrastructure providers. |
| Raw proxy credential | Not stored. Used only by the extension/proxy flow during the active session. | Not retained as raw value. | Not shared as raw value. |
| Proxy credential keyed digest | Validate random short-lived proxy session credentials. | Retained with the proxy session record unless implementation changes. | Infrastructure providers. |
| Traffic volume / usage event | Limits, usage reporting and capacity planning. | 30 days for usage events. | Infrastructure providers; payment/accounting providers when needed. |
| Destination domain / category for blocked events | Filtering, abuse prevention and policy review. | 30 days for blocked events. | Local versioned category list; external vendor only if added later. |
| Workspace audit events | Accountable administration and security review. | 180 days. | Infrastructure providers. |
| Admin/audit source IP | Admin security, fraud/abuse investigation and audit logs. | 180 days when stored in audit logs; raw service-log rotation is documented separately (~14 days). | Infrastructure/security providers if used. |
| HTTPS page content on browser-proxy path | Not collected or decrypted on the browser path. | n/a | n/a |
Account login and proxy access use separate secrets. Proxy credentials are random, short-lived session secrets issued to the extension. BusinessProxy validates them with a server-side keyed one-way digest and does not store the raw proxy secret or reuse the account password.
BusinessProxy is built for accountable work browsing. The gateway applies plan limits, session caps, category/domain rules, restricted ports, private/internal network blocking and device-signed session requests. It is not an anonymity, scraping or restriction-bypass tool.
BusinessProxy has two access paths, and they don't see the same things. We state this plainly.
| Browser-proxy path (Layer 1) | Alias / reverse-proxy path (Layer 2) |
|---|---|
| Does not decrypt HTTPS page content. | Terminates and relays HTTP for the alias app path. |
| Sees domain/network metadata needed for routing and policy. | Relays HTTP method, path, headers and request/response bodies in transit. |
| Domain/category filtering only; no page DOM or form inspection. | Processes L7 metadata for routing, policy and audit. |
| Page content is not logged or retained because it is not decrypted on this path. | Request/response bodies pass through in transit and must not be logged or retained. |
If you route an internal app through the alias path, you should know it operates at Layer 7. That's a deliberate disclosure, not a footnote.
FAQ
Not on the browser-proxy path. BusinessProxy enforces browser policy using domains, network metadata, category decisions and allow/deny rules. It does not decrypt HTTPS page content, read the page DOM, or inspect form fields on that path.
Filtering is domain/category based. The gateway applies a versioned category list and your allow/deny rules before traffic leaves through the approved egress region. This is not content/DLP inspection and should not be described as reading the page.
Chrome requires the all-sites host permission so the extension can receive and answer proxy-authentication challenges for requests that Chrome routes through the configured proxy. The extension has no content scripts and does not inject into pages or modify page content.
No. Account login and proxy access use different secrets. Proxy credentials are random, short-lived session secrets. BusinessProxy validates them with a server-side keyed one-way digest and does not store the raw proxy secret or reuse the account password.
See the security data table as the source of truth. Usage and blocked events are retained for 30 days, workspace audit events for 180 days, and proxy session records remain while the account is active unless a deletion policy is added.