Security
Produck SDK is designed with security as a core principle. This page covers the security model for API execution, DOM extraction, and data handling.
API Execution Security
Endpoint Whitelisting
The SDK will only execute API calls to whitelisted endpoints. This is enforced client-side before any request is made.
allowedEndpoints={[
'GET /api/users/*',
'POST /api/orders',
]}If the AI tries to call an endpoint not in the whitelist, the call is blocked and the AI is informed that the action is not permitted.
Authentication Isolation
API authentication credentials (cookies, tokens) are managed by the browser or your code — Produck servers never see your auth tokens for client-side calls.
For proxy calls, the Produck server forwards requests but does not store authentication headers.
Proxy Domain Allowlist
When using the server proxy (CORS fallback), only requests to domains in your project's allowed_proxy_domains list will be forwarded. Configure this in the dashboard.
allowed_proxy_domains: ['api.yoursite.com', '*.yoursite.com']DOM Context Security
On-Demand Only
DOM content is never automatically extracted or sent. The AI must explicitly request it, and only when the user's question requires page context.
Selector Scoping
Use CSS selectors to control exactly what the AI can read:
domContext={{
enabled: true,
selectors: ['main'],
exclude: ['.private-data', '#ssn-field', '.admin-panel'],
}}No Persistent Storage
Extracted DOM content is used for the current AI response only. It is not stored in the knowledge base or any persistent storage.
Data Handling
What We Store
| Data | Stored? | Where | Retention |
|---|---|---|---|
| Chat messages | Yes | Supabase (encrypted at rest) | Configurable |
| Knowledge base content | Yes | Qdrant vector DB | Until deleted |
| API call results | No | Only used in-context | — |
| DOM extractions | No | Only used in-context | — |
| User auth tokens | No | Never leaves browser* | — |
* Exception: proxy calls forward headers but do not store them.
SDK Key Security
- SDK keys are public (embedded in client-side code)
- They identify your project but do not grant admin access
- Rate-limited per key
- Can be rotated in the dashboard
Encryption
- All communication uses TLS 1.2+
- Database encryption at rest (Supabase)
- Vector embeddings stored in isolated Qdrant collections per project
Best Practices
- Use specific endpoint whitelists — never use
* /* - Scope DOM extraction — exclude sensitive page areas
- Use cookie auth — for same-origin APIs, cookies are simplest and most secure
- Rotate SDK keys — if you suspect a key is compromised
- Monitor audit logs — review API calls in the dashboard
- Set proxy domain allowlists — limit which domains the proxy can reach
Compliance
Produck is designed to support:
- GDPR — no unnecessary data collection, configurable retention
- SOC 2 — audit logging, encryption, access controls
- CCPA — user data can be exported and deleted
Contact [email protected] for compliance documentation.
Next Steps
- API Schema — Configure API execution
- DOM Context — Configure DOM extraction
- FAQ — Common questions