Security
1. Zero-Server Architecture
SPRAPP is designed with a fundamentally different security model than traditional SaaS applications. There is no backend server processing your conversations. The entire application runs in your browser.
- No conversation relay: Your messages are sent directly from your browser to each AI provider's API (Anthropic, OpenAI, xAI, Google, etc.). Our servers never see, process, or store the content of your conversations.
- No server-side storage: We do not operate databases containing user conversations, bot configurations, or chat histories. All of this lives in your browser.
- Static hosting: Our web application is served as static files from Vercel. There is no application server, no API backend, and no database to breach.
2. Browser-Side Storage
All user data is stored locally in your browser using standard web storage APIs:
| Storage | Data | Purpose |
|---|---|---|
| localStorage | Theme, API keys, user session | Sync reads at boot |
| IndexedDB | Bots, chat histories, addons | Large data, no size limit |
| OPFS (optional) | WASM modules, large binary data | Concurrent access, SQLite |
3. API Key Handling
- Storage: API keys are stored in your browser's localStorage under keys like
spr-apikey-anthropic,spr-apikey-openai, etc. They are never sent to our servers. - Transmission: Keys are sent directly from your browser to the AI provider's API endpoint over HTTPS.
- URL safety: API keys are never included in bot sharing URLs.
- No logging: We do not log, intercept, or have any mechanism to access your API keys.
4. Encryption in Transit
- All connections use HTTPS with TLS 1.2+ encryption
- HSTS prevents downgrade attacks
- All connections from your browser to AI provider APIs use HTTPS
5. Payment Security
We do not handle payment card data directly. All payment processing is delegated to Stripe and PayPal (PCI DSS Level 1 compliant).
6. Authentication
We use OAuth 2.0 / OIDC via Google, Apple, GitHub, Facebook, WeChat. Session tokens are JWTs signed with HS256, 24-hour expiry. We never receive, store, or manage passwords.
7. What We Do Not Do
- No analytics services (no Google Analytics, Mixpanel, Amplitude)
- No tracking pixels or advertising beacons
- No cross-site tracking cookies
- No fingerprinting or device identification
- No data sales or sharing with advertisers
8. Vulnerability Reporting
If you discover a security vulnerability, please report it to: security@sprapp.com
- We acknowledge receipt within 24 hours
- We provide an initial assessment within 72 hours
- We credit you in our security acknowledgments