Security at Worksnip

Worksnip handles screen captures, structured page data, and AI-generated narration. We take that responsibility seriously and build the product accordingly.

Status of this page: preliminary. The substantive sub-processor list, SOC 2 letter, and DPA template are available on request while we finalise the public versions.

Today, in production

• All traffic is TLS 1.3 (HSTS preloaded).
• Two-layer redaction of sensitive data on every capture — once in your browser before upload, and once again on the server.
• Per-organization data isolation enforced at the row level; AI calls are scoped per request.
• Stripe-hosted billing — no card data ever touches our infrastructure.
• Object storage is private by default; all access goes through short-lived signed URLs.

In progress

• SOC 2 Type II — engagement scheduled.
• Public sub-processor list (today available on request).
• Customer-managed encryption keys for Enterprise.

Reporting a vulnerability

If you believe you've found a security vulnerability in Worksnip, please email security@worksnip.com. We'll acknowledge within 24 hours and aim to remediate inside 14 days for high-severity reports. PGP key on request. Preliminary contact — subject to change.