C
CONXA
Browse docs
Docs home

Product docs

Platform OverviewClaude Automation With CONXABuild StudioConxa CloudRuntime And MCP Execution

Trust and security

Security

Legal

Privacy PolicyTerms And ConditionsCookie PolicyAcceptable Use PolicyData Processing

Billing

Billing And Refund Policy

Support

Support
Page sections
Security principlesIdentity and accessLocal browser sessionsData protection controlsKnown operational limitsReporting security issues

Trust and security

Security

Security boundaries, local execution guarantees, auth handling, token storage, and practical operational limits.

Updated June 11, 202610 min read

Summary

  • Conxa separates build-time AI assistance, cloud coordination, and local runtime execution.
  • Target-site browser session state is local and excluded from build output.
  • Workspace access uses Clerk authentication, runtime package sync uses runtime tokens, and customer browser sessions are encrypted locally where supported.

Security principles

  • Keep workflow execution local to the end user machine.
  • Exclude auth files and browser storage state from packaged skill output.
  • Use the cloud for coordination and telemetry, not remote operation of customer applications.
  • Prefer deterministic recovery before LLM-assisted repair.
  • Make operational limits explicit instead of presenting incomplete controls as certifications.

Identity and access

The cloud dashboard uses Clerk-based authentication for workspace access. API requests that require a signed-in user are protected through the authenticated frontend and backend route model.

The Build Studio uses a local sign-in flow for builders. Runtime package sync uses tokens provisioned for the installed company runtime. These are separate credentials with separate scopes.

Local browser sessions

Browser session state for target applications is treated as sensitive. Build Studio auth sessions and runtime browser sessions are local state, not published package content.

Runtime browser sessions are encrypted at rest on the customer machine using local key material where the runtime environment supports it. Customers should still control endpoint security, OS account access, disk encryption, and browser profile hygiene.

Auth file exclusion

The build pipeline is expected to reject build inputs that contain auth files. Published skill packages should contain workflow data, not target-site credentials.

Data protection controls

ControlCurrent behavior
Transport securityCloud communication should use HTTPS in production deployments.
Workspace authDashboard access is tied to authenticated Clerk users and workspace context.
Runtime session storageTarget-site browser sessions stay local and are encrypted at rest where supported by the runtime.
Package integrityRuntime sync verifies package content and writes updates atomically.
Telemetry scopeTelemetry is compact operational metadata rather than full runtime browser replay.

Known operational limits

  • Hosted installer URLs and company sync tokens should be treated as distribution-sensitive.
  • Enterprise private distribution, device registration, custom retention, and contractual security terms should be captured in a written enterprise agreement.
  • Conxa does not claim SOC 2, ISO 27001, HIPAA, PCI DSS, or similar certification on these public docs pages unless a signed compliance artifact says otherwise.
  • Customers remain responsible for target-application authorization, user access rights, endpoint protection, and compliance requirements that apply to their own data.

Reporting security issues

Report suspected security issues to noreplay@conxa.in. Include the affected workspace, plugin slug if relevant, timestamps, reproduction steps, and whether any package or token may have been exposed.

Do not send target-site passwords, browser storage files, or production customer data unless Conxa support explicitly requests a secure transfer path.

Drafting references

These public resources informed the policy structure. They are not a substitute for legal review.

FTC Privacy and Security business guidanceIndia Digital Personal Data Protection Act, 2023

Related docs

Privacy Policy

How CONXA collects, uses, stores, shares, and protects information across the website, dashboard, Build Studio, cloud services, and runtime telemetry.

Data Processing

Plain-language explanation of customer and CONXA data roles, subprocessors, local-only data, deletion requests, and enterprise DPA expectations.

Runtime And MCP Execution

How the installed runtime exposes local browser workflow automation to Claude Desktop or another MCP client and executes skills locally.

Support

How to contact CONXA for product help, billing questions, security reports, privacy requests, and enterprise procurement.