Skip to main content

Security

Last Updated: May 8, 2026

Security is a core part of how monodit is designed and operated. This page provides a high-level overview of our current security model and operational safeguards.

If you believe you have found a security issue, contact support@monodit.com.

1. Security Principles

monodit is built around a few core principles:

  • Limit trust by default
  • Isolate user-provided code
  • Reduce unnecessary data collection
  • Protect sensitive credentials
  • Restrict access to production systems and data
  • Log important security-relevant events

2. Sandboxed Custom Code

Custom widgets and dynamic themes are designed to run in sandboxed iframe environments with restricted permissions.

At a high level, this means:

  • User-provided widget and theme code does not run with the same privileges as the main application
  • Access to the parent document, browser cookies, and local storage is restricted by the sandbox model
  • Communication between sandboxed code and the host application is mediated through a controlled bridge API

This isolation model is a core part of the platform's design to reduce the risk of custom code affecting the rest of the application.

3. Authentication and Account Security

monodit supports multiple authentication methods, which may include:

  • Password-based sign-in
  • Magic link sign-in
  • Third-party OAuth providers such as Google and GitHub

The platform may also support additional account security features such as two-factor authentication and session management.

Users are responsible for maintaining the confidentiality of their account credentials and for promptly reporting suspected account compromise.

4. Credential Protection

Sensitive credentials are handled with security controls appropriate to their role.

Examples include:

  • Passwords are not intended to be stored in plain text
  • AI provider API keys are stored encrypted at rest
  • Access to secrets and operational credentials is restricted to the extent reasonably necessary for service operation

5. Infrastructure and Service Providers

monodit uses third-party infrastructure and platform providers to operate the Service. Depending on the feature, those providers may include:

  • Cloudflare
  • Authentication and identity providers
  • Email delivery providers
  • Billing providers such as Lemon Squeezy
  • AI providers selected by the user

We use commercially reasonable efforts to choose providers and architectures that support secure service delivery, but no third-party provider can eliminate all risk.

6. Logging, Monitoring, and Abuse Prevention

We maintain logs and operational telemetry to support:

  • Service reliability
  • Security monitoring
  • Abuse detection
  • Incident investigation
  • Performance debugging

We aim to collect only the data reasonably necessary for those purposes and to retain it only for limited periods, as described in our Privacy Policy.

7. Data Protection Measures

Depending on the type of data and system involved, our safeguards may include:

  • Access controls
  • Encrypted transport over HTTPS
  • Encryption for selected sensitive stored credentials
  • Environment-based secret management
  • Service-side validation and authorization checks
  • Segregation between public interfaces and privileged backend operations

8. AI Features

If you use AI-related features:

  • Your requests may be routed to third-party AI providers you configure or select
  • Those providers operate under their own security and privacy practices
  • monodit stores AI provider API keys in encrypted form at rest
  • monodit does not intend to store prompts or generated outputs as part of normal server-side AI request retention

Users should avoid submitting highly sensitive information to third-party AI providers unless they have independently determined that the provider is appropriate for their use case.

9. Shared and Public Content Risks

Some features may allow you to upload, sync, export, or publicly submit content.

You should assume that:

  • Content you submit to public features may become visible to others
  • Content you place in your own workspace remains your responsibility
  • You should not upload secrets, credentials, or sensitive regulated data unless you have evaluated the risks and appropriateness of doing so

10. Limitations

No service can guarantee perfect security.

While we work to protect the Service and user data using reasonable technical and organizational measures, no method of transmission, storage, or software operation is completely secure. Security also depends in part on user behavior, third-party providers, and the broader internet environment.

11. Reporting Security Issues

If you discover a vulnerability or believe your account or the Service has been compromised, contact support@monodit.com with as much detail as possible.

Please do not publicly disclose security issues before giving us a reasonable opportunity to investigate and respond.

Was this helpful?
👍
👎