Invest in your
Online safety
SessionBox is developed with security in mind from the beginning. We know handling your profiles comes with great responsibility, and this drives all of our decisions. We would like to provide full transparency so please review the following page which contains answers to the most important security questions.
What is behind SessionBox?
SessionBox has three main components: a server which performs administrative tasks, a data store which holds user data and a client application. The client application handles all requests that are going through a browser tab that is managed by SessionBox. We also provide extensions to all major browsers, that enable our users to use SessionBox with Chrome, Edge, Firefox or Opera as well, by connecting your selected browser to our client application - but our client application also hosts our own solution: SessionBox Workstation.
Where does SessionBox operate?
We decided not to build our own infrastructure, instead we rely on third-party cloud providers, having limitless resources to ensure a rock solid and secure platform. Before we choose a cloud provider we check if their privacy and security guidelines and certifications meet our requirements.
Our servers run on Heroku and they are located in the United States. You can review Heroku's security policy here: https://www.heroku.com/policy/security
Our data store is in Google Cloud and it is located in the United States. You can review Google Cloud's security policy here: https://cloud.google.com/security/
Our client application and extension is running on your computer.
What other data does SessionBox log?
Like other applications, we are logging some non-identifying usage data. This data is handled by Google Analytics, and it doesn't contain any sensitive information and it is anonymous.
If some error happens we create crash logs. We use these crash logs to stabilize our application and proactively fix possible problems. All sensitive data is filtered from these logs at device level and no sensitive data is sent to our servers.
Where is my data stored?
SessionBox supports three types of profiles: local, synced and temporary. Each type is stored at a different place, but all of them are encrypted in a way that only the locally stored keys are able to decrypt them. Local profiles are stored in your browser's indexed db storage. Synced profiles are stored in our data store. Temporary profiles are not persisted at all.
What sensitive data does SessionBox store?
We are storing two kinds of information when you use SessionBox. We are storing metadata for your profiles which contains the following information: your profile's color, icon, launch url, group and some other technical details. In some cases we are also storing your profile's cookies. Your profile cookies are considered as extra sensitive data and handled by extra care, based on a zero-knowledge solution, meaning that no one except you can open the data stored here.
How are my sessions protected?
The extra sensitive parts of your profiles are encrypted and decrypted on your device. We never send your cookies or other extra sensitive data to our servers without encryption. The keys required to decrypt your data are available only on your device and never sent to our servers or data stores. We always use open-source cryptographic libraries and standard algorithms (AES-256 for symmetric operations and RSA 2048 bit for asymmetric operations). We never write our own cryptographic code or modify existing libraries. Our components are always communicating through secure connections.
Can SessionBox developers access my profiles?
No, they can't. Your profile cookies are encrypted and cannot be decrypted without knowing your secret key. Your secret key resides on your computer and are never sent to us. This is one of the reasons why we cannot help in case you've lost your password and have no access to a previously installed and used client any more. Without your credentials, there is no way to open your data.
What can I do to secure my profiles?
To ensure the security of your profiles, create a SessionBox account. Choose a strong password and keep your password in secret. We also suggest to enable two-factor authentication on our Account security page, to have a second line of defense. This ensures that even if your credentials are known by an attacker, your account can still not be accessed.
Are my local profiles protected?
We are using the same encryption mechanism for local profiles and synced profiles. If you log out from SessionBox, your profiles cannot be decrypted until you log in again, even if someone has direct access to your computer.