Security

Last updated: July 4, 2026

Your demos often show the inside of your product—dashboards, customer names, revenue numbers. We treat every screenshot, lead, and analytics event as sensitive by default. Here is how DemoGenius AI protects your data.

Encryption in transit

Every connection to the dashboard, player, embeds, extension, and APIs is encrypted with TLS. Plain HTTP is never served.

Encryption at rest

Stored provider keys and integration credentials are encrypted with AES-256-GCM before they ever touch the database.

Org-scoped RBAC

Every query is scoped to your organization, with Owner, Admin, Member, and Viewer roles enforced on each mutation.

Signed URLs

Screenshots, narration audio, and exports live in private object storage and are served only through short-lived signed URLs.

Verified webhooks & rate limits

Billing webhooks are signature-verified before processing, and public, capture, and AI endpoints are aggressively rate limited.

Audit logs

Important organization actions — role changes, publishing, deletions, integrations — are recorded in a tamper-evident audit trail.

Access control

DemoGenius is multitenant by design: every demo, step, lead, AI job, and analytics event belongs to exactly one organization, and every authenticated request re-verifies your membership and role on the server. Owners control billing, role assignments, and organization deletion; Admins manage demos, team members, and integrations; Members create and edit demos; Viewers have read-only access. Public visitors can only ever see the published, immutable version of a demo—drafts are never exposed through public routes.

Capture privacy and automatic redaction

The Chrome extension never captures password fields, incognito tabs, or raw values from sensitive inputs, and it uploads screenshots with short-lived, demo-scoped capture tokens. Before you publish, our automatic redaction Skill scans screenshots for emails, phone numbers, API keys, access tokens, and card-like numbers and blurs them—and you can add your own blocked words and CSS selector rules per organization.

Application security

All external input is validated with strict schemas, captions and labels are sanitized before rendering, and the dashboard ships a strict Content Security Policy. Embeds use carefully scoped frame-ancestors headers with per-demo domain allowlists. Media fetching is guarded against SSRF, object storage keys are never exposed as raw public URLs, and AI Skills run in an isolated agent service that can only read data belonging to the requesting organization.

Monitoring and reliability

We run continuous error monitoring, structured logging with request IDs, queue failure tracking, and health checks across the database, cache, object storage, and agent service. You can see current subsystem health any time on our status page. Encrypted backups are taken regularly and retained for 30 days.

Responsible disclosure

We welcome reports from security researchers. If you believe you have found a vulnerability, email security@demogenius.ai with steps to reproduce. We will acknowledge your report within 2 business days, keep you informed as we investigate, and will not pursue legal action against good-faith research that respects user data and avoids service disruption. Please do not access data that is not yours or run automated scans against production.