Skip to main content
Last Updated: January 2025

​
Current State

​
Architecture

ContextFort currently operates with a local-first architecture:
  • Local storage only - No cloud infrastructure
  • No data transmission - All data stays on user’s device
  • No third party services - Except optional PostHog analytics
  • Chrome Extension - Manifest V3 compliant

​
Compliance Status

StandardStatusNotes
GDPRβœ… CompliantNo data processing, local storage only
CCPAβœ… CompliantNo sale of personal information
SOC2πŸ”„ Not RequiredNo cloud services or data transmission
ISO 27001πŸ“… PlannedQ3 2025 for enterprise features
HIPAAβœ… CompliantNo PHI transmission, local storage only
PCI DSSβœ… N/ANo payment processing

​
Phase 1: Current (Q1 2025)

​
Local Extension Only

  • Chrome Extension with local storage
  • No backend servers
  • No data transmission
  • Optional analytics (PostHog)

​
Phase 2: Enterprise Dashboard (Q2-Q3 2025)

​
Planned Architecture

New Components Coming:
  • Centralized dashboard for security teams
  • Cloud storage for aggregated session data
  • Admin console for policy management
  • Multi-tenant infrastructure

​
Required Compliance

Scope:
  • Security controls
  • Availability controls
  • Confidentiality controls
Requirements:
  • Access controls and authentication
  • Encryption in transit (HTTPS/TLS)
  • Encryption at rest
  • Audit logging
  • Incident response plan
  • Vendor management
  • Third party CPA audit
Timeline:
  • Q2 2025: Begin implementation
  • Q3 2025: Audit and certification
Scope:
  • Information security management system
  • Risk assessment
  • Security controls
Requirements:
  • ISMS documentation
  • Risk assessment process
  • Security policies
  • Asset management
  • Access control
  • Cryptography
  • Physical security
  • Operations security
  • Supplier relationships
Timeline:
  • Q2 2025: Gap analysis
  • Q3 2025: Implementation
  • Q4 2025: Certification audit

​
Phase 3: Full Compliance (Q4 2025)

​
Additional Standards

  • DPA (Data Processing Agreement) for enterprise
  • DPIA (Data Protection Impact Assessment)
  • Data transfer mechanisms (if EU customers)
  • Right to erasure implementation
  • Data portability features

​
Compliance Features

​
Current Features

Local Storage

All data stays on user’s device with no transmission required

Chrome Encryption

Chrome’s built-in encryption protects data at rest

Optional Analytics

PostHog can be disabled with one-line configuration change

Open Source

Full code review available for transparency

​
Planned Features (Q2-Q3 2025)

  • TLS 1.3 for all communications
  • Certificate pinning
  • Perfect forward secrecy
  • AES-256 encryption for cloud storage
  • Key management system
  • Separate encryption keys per tenant
  • Role-based access control (RBAC)
  • Multi-factor authentication
  • Single sign-on (SSO) support
  • Audit logging
  • Configurable retention policies
  • Automatic data deletion
  • Backup and recovery
  • Centralized logging
  • Security event monitoring
  • Anomaly detection
  • Audit trails

​
Risk Assessment

​
Current Risks

RiskSeverityMitigation
Screenshots contain PIIMediumLocal storage only, user controlled
No centralized monitoringLowDesign choice, enterprise phase will address
Optional analyticsLowCan be disabled, no PII transmitted

​
Future Risks (Enterprise Phase)

Planned Mitigation for Enterprise Features:
RiskSeverityMitigation Plan
Data breachesHighSOC2, encryption, access controls
Insider threatsMediumRBAC, audit logging, least privilege
Service availabilityMediumSLA, redundancy, backup

​
Third Party Audits

​
Current

Chrome Web Store

Security review pending

GitHub Dependabot

Automated vulnerability scanning

Community Review

Open source code audit

​
Planned (Enterprise Phase)

1

SOC2 CPA Audit

Q3 2025 - Independent audit for security controls
2

ISO 27001 Certification

Q4 2025 - Information security management certification
3

Penetration Testing

Quarterly - Third-party security testing
4

Security Code Review

Annually - Independent code security audit

​
Vendor Management

​
Current Vendors

VendorServiceData AccessCompliance
PostHogAnalytics (optional)Event names onlySOC2, GDPR
GitHubCode hostingSource code onlySOC2, ISO 27001

​
Future Vendors (Enterprise Phase)

All enterprise vendors will be required to maintain:
  • SOC2 Type 2 certification
  • ISO 27001 certification
  • GDPR compliance
  • Regular security audits
Planned Vendors:
  • Cloud provider (AWS/GCP/Azure) - SOC2, ISO 27001, PCI DSS
  • CDN provider - SOC2, ISO 27001
  • Email service - SOC2, GDPR

​
Enterprise Compliance Support

For enterprise customers, we can provide:

Custom Documentation

Tailored compliance documentation for your organization

Security Questionnaires

Responses to vendor security assessments

Vendor Assessment

Support for your vendor evaluation process

Security Consultation

Direct access to security team

​
Contact

For compliance questions:

Email

[email protected]

GitHub Issues

Open an issue

Build docs developers (and LLMs) love

Get started for freeTalk to us