Security

Overview

TabMate is a browser extension that reads the current page and stores workspace data on our servers. Because it touches browsing context and account data, this page describes how authentication, sessions, data in transit, and local storage are handled. We aim to be direct rather than vague.

Authentication

TabMate uses token-based authentication. When you sign in, the backend issues an access token and a refresh token. The access token is short-lived. The refresh token is used to obtain new access tokens without requiring you to sign in again.

Tokens are stored in chrome.storage.local on your device - not in cookies or localStorage, which are accessible to page JavaScript. chrome.storage.local is only readable by the extension itself.

Session management

Each sign-in creates a tracked refresh session. Sessions store metadata including the IP address and user agent at the time of sign-in. This metadata is used for abuse detection and authentication security - not for analytics or advertising.

Sessions can be revoked. If you believe your account has been accessed without your knowledge, contact us immediately at the address below.

Data in transit

All communication between the extension and our API uses HTTPS. Requests to the backend are authenticated with the access token in the request header. We do not transmit credentials in query parameters or URL paths.

Page access and content scripts

TabMate uses page access and content scripts so it can capture page context from the tab you are working in. When you submit an ask or use another explicit workflow that depends on page context, the relevant page content is sent to our API over HTTPS. Relevant page context may also be persisted with conversation and workspace records so asks, saved evidence, and related outputs can continue across sessions. Content sent to generate responses is also shared with the third-party LLM API configured for the service.

Server-side data

Workspace data - including conversations, prompts, memories, pinned excerpts, and related page-linked research context - is stored on our servers. We apply standard security controls including authenticated API access, rate limiting, and input validation. We do not expose raw database access externally.

LLM API

TabMate routes asks through a third-party LLM API provider, currently OpenAI, to generate responses. Content sent to this provider may include page context, selected text, and conversation history. This content is subject to the provider's processing and data-handling terms. We do not use your content to train our own models.

OpenAI's API data-handling and retention practices are governed by OpenAI's own terms and documentation.

Guardrails and content controls

TabMate uses layered guardrails before and after model generation. Browser content forwarding passes through a sanitization pipeline that can strip HTML artifacts, normalize forwarded text, sanitize URLs, redact obvious secret-like strings, and redact directive-style prompt-injection phrases before page content is sent onward.

The service also applies input and output safety scanning as part of its guardrail pipeline, including controls for token limits, invisible text, blocked patterns, and configured scanners for prompt injection, secret exposure, malicious URLs, and sensitive output. In addition, request-side controls such as rate limits, daily ask limits, token budgets, and request credit limits help reduce abuse and keep usage within configured envelopes.

Some requests or responses may be sanitized, refused, or blocked before they reach the model or the user. These controls reduce risk, but they are not a guarantee that all unsafe, adversarial, or policy-violating content will be detected in every case.

What we do not do

• We do not sell account or usage data to third parties.
• We do not access background tabs you are not actively working in.
• We do not store credentials in cookies or localStorage.
• We do not download and execute remote code inside the extension.

Responsible disclosure

If you find a security vulnerability in TabMate, please report it by email before disclosing it publicly. We will respond to all credible security reports and work to resolve confirmed issues promptly.

Security reports: [email protected] - please include "Security" in the subject line.

Contact

General security questions or concerns: [email protected]