Security
How we protect your data and what you can expect from Vidro.
Authentication
We use industry-standard practices to keep your account secure:
- HTTP-only cookies — Your session token (JWT) is stored in an HTTP-only cookie, so it cannot be read by JavaScript and is not exposed to cross-site scripting (XSS).
- Secure transmission — All traffic is served over HTTPS (TLS).
- OAuth — Sign-in with Google and GitHub uses OAuth 2.0; we do not store your third-party passwords.
- Email verification — New accounts must verify their email before full access.
Data in transit and at rest
Data is encrypted in transit using TLS. At rest, we rely on our infrastructure providers (e.g. Vercel, database and storage providers) to encrypt stored data. Recordings, screenshots, and metadata are stored in environments that enforce encryption and access controls.
Infrastructure and access
Vidro runs on modern, audited infrastructure. We follow principle of least privilege for internal access and do not share your data with third parties except as described in our Privacy Policy (e.g. AI providers for analysis, when you use those features). We do not sell your data.
AI and third-party processing
When you use AI features, report content (e.g. transcripts, logs, screenshots) may be sent to selected AI providers to generate analysis. We choose providers that commit not to use your data for model training. For details, see our Privacy Policy.
Reporting vulnerabilities
If you believe you have found a security vulnerability in Vidro, please report it responsibly. We welcome reports at:
Please include steps to reproduce and any proof-of-concept if possible. We aim to acknowledge reports promptly and will work with you to understand and address the issue. We do not take legal action against researchers who report in good faith and follow responsible disclosure.