How we protect your account, your videos, and your payments
EditBuddy is built on the principle that your data is yours. Your project files stay on your machine. The pieces that do touch our servers are protected by industry-standard practices and continuously monitored.
External scan results
We publish third-party scan results from independent security tools. These are run on the live production site and updated periodically.
Anyone can re-run these against editbuddy.app at any time.
Your data, in plain English
A short version of how EditBuddy treats your data. The full details are in the Privacy Policy.
✓ Your project files stay local
Original video, audio, and Premiere project files never leave your machine. The extension reads and writes the timeline directly inside Premiere.
✓ Minimum data for AI features
When you opt into AI features (transcription, B-roll prompts, retake detection), only the smallest required data is sent — compressed audio, transcript text, low-resolution frames — over encrypted connections.
✓ No card data on our servers
Paddle is the merchant of record. Your card details go directly to Paddle and are never stored, processed, or visible on our infrastructure.
✓ Right to export & delete
Email privacy@editbuddy.app to request export or deletion of your account data.
Account & authentication
Sign-in is handled by Supabase Auth using OAuth 2.0 + OIDC, the same standard used by Google, Microsoft, and GitHub.
✓ No password storage
You sign in via Google OAuth or one-time email link. We never see, store, or hash a password — there isn't one to leak.
✓ Bot protection
Cloudflare Turnstile challenges every signin attempt and every public form. Stops credential stuffing, fake-account creation, and free-tier abuse before it reaches our servers.
✓ Hardened session cookies
Session cookies use the __Host- prefix, are HttpOnly, Secure, and SameSite=Lax. They cannot be read by JavaScript or stolen by a subdomain.
✓ Per-user rate limits
Every authenticated endpoint is rate-limited per user AND per IP. Abuse on one account can't take the service down.
Network & transport
✓ HTTPS-only with HSTS preload
All traffic is TLS 1.3. HSTS is set to 2 years with includeSubDomains; preload. Browsers will refuse to connect over plain HTTP.
✓ Strict security headers
Frame-Options DENY, COOP same-origin, CORP same-site, locked-down Permissions-Policy, and a Content Security Policy in monitored mode.
✓ Encrypted at rest
Database, backups, and webhook event log are encrypted at rest by our hosting providers (Vercel, Supabase) using AES-256.
✓ Webhook signature verification
Every webhook from Paddle is verified against Paddle's signing key before it's processed. Replay attacks are blocked by atomic event-ID claim.
How we develop & ship
Security is part of the build process, not an afterthought.
Report a vulnerability
Found something? We want to hear.
If you believe you've found a security vulnerability in EditBuddy, please email security@editbuddy.app with details. We'll respond within 48 hours and work with you on a fix.
Please don't publicly disclose until we've had a chance to address it. We don't currently run a paid bug bounty, but we credit reporters who help us.
Our full disclosure policy is at /.well-known/security.txt.
Sub-processors
Companies that process EditBuddy customer data on our behalf.
Vercel
Web hosting, edge network, environment variables.
Supabase
Authentication, Postgres database, JWT issuance.
Paddle
Payment processing, merchant of record, tax handling.
Cloudflare
Turnstile bot protection on signin and public forms.
Sentry
Browser and server error monitoring (PII stripped).
Plausible
Privacy-friendly analytics. No cookies, no personal identifiers.
OpenAI · Anthropic · Google
AI model providers used for opt-in features. Data sent is the minimum needed.
Deepgram
Hosted speech-to-text when local Whisper isn't available.
Pexels · Pixabay
Royalty-free B-roll search. Only the search query is sent.