← Back to home

Security

How we protect your data and earn your trust.

Who we are

Am I Being Pwned LLC is focused exclusively on browser extension security. We are a small, focused team of security researchers and engineers.

Am I Being Pwned? is built and operated by Am I Being Pwned LLC. We specialise in analysing browser extensions for malicious, suspicious, and vulnerable behaviour. Our team combines security research experience with engineering expertise in browser internals.

Questions about our security posture? Contact us at hello@amibeingpwned.com.

Infrastructure

All data is processed and stored in the EU. We use Cloudflare for edge delivery and DDoS protection, and Neon (PostgreSQL) for database storage. Everything is encrypted in transit and at rest.

  • Edge network - Cloudflare Pages and Workers handle all HTTP traffic, providing DDoS mitigation, TLS termination, and global edge caching.
  • Database - Neon serverless PostgreSQL, hosted in the EU. All data encrypted at rest (AES-256) and in transit (TLS 1.2+).
  • Authentication - OAuth 2.0 via Google. We never store passwords. Session tokens are signed and httpOnly.
  • Secrets management - All credentials and API keys are stored as encrypted environment variables, never committed to source control.

What our extension collects

Extension IDs, version numbers, and declared permissions. That's it. No browsing history, no form data, no keystrokes, no page content, no cookies.

The Am I Being Pwned? Chrome extension reports the following data for each enrolled device:

  • A device identifier (set by your organisation or MDM)
  • Chrome extension IDs, version numbers, and declared permissions
  • Extension enabled/disabled status

What we never collect

  • Browsing history or visited URLs
  • Form data, keystrokes, or credentials
  • Page content or DOM
  • Cookies or session tokens
  • Screenshots or screen recordings
  • Personal files or documents

Extension permissions

Our extension requests the 'management' permission to read installed extensions. It cannot read your browsing data, modify web pages, or access your tabs.

The Am I Being Pwned? extension requires the management permission to enumerate installed extensions and their metadata. This is the minimum permission required to provide the service.

The extension does not request tabs, webRequest, cookies, or any host permissions. It cannot read or modify web page content.

Compliance

Our reports map to CIS Controls v8, ISO 27001 Annex A, and SOC 2 Trust Services Criteria. We are working toward formal SOC 2 Type II certification.

  • Framework mapping - Our security findings and compliance reports map to CIS Controls v8, ISO 27001 Annex A, and SOC 2 Trust Services Criteria.
  • GDPR - All data processed and stored within the EU. We collect the minimum data necessary and retain it only as long as needed. See our Privacy Policy for details.
  • Data processing - Enterprise customers can request a Data Processing Agreement (DPA) by contacting us.

Responsible disclosure

Found a vulnerability in our service? Email vulnerabilities@amibeingpwned.com. We respond within 48 hours and will not take legal action against good-faith research.

If you believe you have found a security vulnerability in our service, please report it to vulnerabilities@amibeingpwned.com. You can encrypt your report using our PGP key:

PGP Fingerprint

981E AE52 7918 5946 D5D0 A595 34CC 6F8A F0D2 8039
Download public key

We ask that you

  • Give us reasonable time to investigate and fix the issue before public disclosure
  • Avoid accessing or modifying other users' data during your research
  • Include enough detail for us to reproduce the issue

We will not pursue legal action against researchers acting in good faith.