SafeLayer is a defensive security product. Here is exactly what we do, what we don't do, and how we protect your data.
Browser warning events are stored as redacted previews and metadata only. Raw pasted keys are never transmitted to our servers.
Vault secrets are encrypted with AES-256-GCM before storage. Each secret gets its own unique encryption key.
Extension pairing tokens are hashed server-side. The raw token is shown once and never stored.
Risk events are tied to your account and protected by Row Level Security in our database.
We do not store raw pasted keys from browser warning events.
We do not screen record your browser sessions.
We do not sell your private security events to advertisers or data brokers.
We do not do invasive keystroke logging or clipboard monitoring beyond paste detection.
We do not build malware, credential theft tools, or offensive security capabilities.
API key-like paste events: to warn you before a key reaches an untrusted site.
File upload fields on unknown domains: to help you decide before uploading sensitive files.
Sensitive permission language: to explain what you're actually agreeing to.
Suspicious domain patterns: to flag possible clone or phishing sites.
These detections are based on pattern matching, not invasive monitoring.
Security warnings are helpful context — not guarantees of safety.
Our risk scoring is rule-based. It may produce false positives on legitimate sites.
We are not a certified security product. We are a helpful layer of protection.
Starter legal pages on this site should be reviewed by an attorney before production use.