Better Fetch

Trust centre

Security

How Better Fetch isolates customer activity, protects credentials and browser state, and receives vulnerability reports.

Effective 12 July 2026

Architecture and tenant isolation

  • Customer API keys are stored as one-way SHA-256 hashes and shown in plaintext only when created.
  • OAuth uses PKCE, single-use short-lived codes, rotating refresh tokens, and revocable API-key-backed grants.
  • Database row-level security scopes customer-visible control-plane records to the authenticated account.
  • Browser profiles, fingerprints, cookies, localStorage, caches, and portable snapshots are isolated by account and session.
  • Ready-made tool bundles run in an isolated runner with deadlines and a constrained host interface.

Network and request safety

  • Only HTTP and HTTPS targets are accepted.
  • Private, loopback, link-local, metadata, and other non-public destinations are blocked at initial navigation, redirects, subresources, and JSON request paths.
  • Managed proxy credentials remain server-side and cannot be supplied or retrieved through the public API.
  • Request size, cookies, session counts, concurrency, timeouts, and monthly credits are bounded.

Data protection

  • TLS protects public traffic in transit.
  • Portable browser-session snapshots are encrypted before private object storage.
  • Business observability excludes target URLs, content, headers, cookies, keys, IP addresses, and session names.
  • Synchronous fetch content is returned to the caller rather than copied into analytics.
  • Operational and product events have documented retention limits.

More detail is available in the privacy policy.

Current assurance level

Better Fetch does not currently claim SOC 2, ISO 27001, HIPAA, PCI service-provider certification, or a contractual uptime SLA. Stripe handles payment-card collection. Enterprise security reviews, retention requirements, and data-processing terms are considered on request.

Report a vulnerability

Send reports to security@betterfetch.co. Include the affected surface, reproduction steps, impact, and a safe way to contact you. Do not access other customers' data, degrade the service, run destructive tests, or disclose a vulnerability publicly before we have had a reasonable opportunity to investigate.

We aim to acknowledge credible reports within three business days. Also see security.txt.