Security

Security and transparency

SupaPM is built for product teams working with company context, customer insight, and internal planning data. This page explains the controls and design choices that help teams review SupaPM before adoption.

Read-only page context

SupaPM reads page URL, title, selected text, and page context to help the side panel answer with the right project context. It does not click buttons, submit forms, or make destructive changes inside the websites you visit.

Limited browser permissions

The extension uses Manifest V3 and active-tab access for page context. It does not request broad access to every website through an all-URLs host permission.

Local-first workspace data

Extension projects, skills, prompts, settings, and edit history are stored locally in the browser unless a feature explicitly sends data to SupaPM or a configured AI provider.

Provider choice and HTTPS defaults

Teams can choose their AI provider and configure their own API keys. Manual model endpoints must use HTTPS, with an explicit opt-in for local or private-network HTTP endpoints.

No advertising use

Browser extension context is used to provide SupaPM functionality, not for third-party advertising or cross-site behavioural tracking.

Extension posture

The SupaPM extension is designed as a side panel assistant, not a browser automation agent. It can use the active page as context, open useful links in new tabs, and update SupaPM's own local workspace documents when you ask it to. It is not designed to operate third-party web apps on your behalf or perform destructive actions on the pages you browse.

When the assistant edits SupaPM documents such as Org Knowledge, Skills, or project descriptions, those edits are tracked with visible history and restore support. That makes AI-assisted changes reviewable and reversible instead of silent.

Supply chain transparency

We publish a Software Bill of Materials for the browser extension so security and compliance teams can review the open source runtime dependencies used by SupaPM.

Browser extension SBOM

Download or inspect the machine-readable CycloneDX Software Bill of Materials for the current extension release.

View extension SBOM

What to review

  • The extension manifest permissions and host permissions.
  • The SBOM for runtime dependency names, versions, licences, and package URLs.
  • The Privacy Policy for how SupaPM handles website, extension, account, and workspace data.
  • Your organisation's configured AI provider and model endpoint choices.

These materials are intended to make review easier, not to replace your own security assessment. An SBOM is a transparency artifact, not a certification or guarantee.

Need more information?

Contact hello@supapm.com if your organisation needs additional security, privacy, or compliance details.