Security
Security at E2LLM
We take security seriously. This page describes our security practices, how to report vulnerabilities, and our track record.
Architecture & Data Handling
E2LLM is designed with security as a core principle, not an afterthought.
Extension (Local)
All DOM processing and SiFR generation happens in your browser. No page content is transmitted to our servers. The extension works fully offline.
MCP Server (Retained & Protected)
All session data (SiFR captures, actions, metadata) retained for 30 days, encrypted before storage. Access requires lawful request, user consent, or safety review. Purged after the retention period.
- All MCP connections require authentication — via external providers (Google, Microsoft, GitHub) or E2LLM accounts
- Session data encrypted before storage — encryption keys managed by S2 Tikshuv Ltd
- Internal access to session data is audit-logged and policy-enforced
- No payment data stored — Paddle handles all financial data as Merchant of Record
- First-party performance monitoring only — no third-party analytics or advertising trackers
- Enterprise tier: full on-premises deployment, zero data egress
Vulnerability Disclosure Policy
We welcome responsible disclosure of security vulnerabilities. If you discover a vulnerability in any E2LLM product, please report it to us.
Report a vulnerability: Send details to
security@e2llm.com. Use this address for security issues only — not for support or feature requests.
What to include
- Description of the vulnerability and its potential impact
- Steps to reproduce
- Affected product (Extension, MCP Server, Relay, Website)
- Your contact information for follow-up
Our commitment
- Acknowledge receipt, typically within 48 hours
- Provide an initial assessment, typically within 5 business days
- Keep you informed of remediation progress
- Credit you in the advisory (unless you prefer anonymity)
- Not pursue legal action against good-faith security researchers
Scope
- E2LLM browser extensions (Chrome, Firefox)
- E2LLM MCP relay server (mcp.e2llm.com)
- E2LLM website (e2llm.com)
- Authentication and authorization systems
Out of scope: Vulnerabilities in third-party services we use (Paddle, identity providers), social engineering attacks, denial of service attacks, vulnerabilities in websites accessed through E2LLM by end users.
Known Vulnerabilities (CVE)
We publish security advisories for confirmed vulnerabilities in E2LLM products.
| CVE ID | Product | Severity | Status | Published |
|---|
| No known vulnerabilities at this time. |
This table will be updated as advisories are published. Subscribe to security@e2llm.com for notifications.
Security Practices
- Regular dependency audits and updates
- All connections encrypted in transit
- For external sign-in (Google, Microsoft, GitHub), your password is handled by the provider — we never see it. For E2LLM accounts, passwords are stored as secure hashes
- Detected password fields are redacted before storage — we make best-effort to avoid storing plaintext passwords
- Content Security Policy headers on all web properties
- Extension published through official browser stores with review processes
- Source code under BSL 1.1 — auditable by customers