Security

Last updated: May 14, 2026

You hand FixFirstly a few things worth protecting: your customers' words, and — if you use the reproduction agent — credentials for a test user inside your own app. This page is a plain summary of how we keep that surface small. It is not a compliance attestation. It is the working approach behind the product.

The Bug Reproduction Agent

The agent is the most security-sensitive thing we ship, because it logs into your app on your behalf. We designed the constraints first and the capabilities second.

• Scoped test account

  You give us one test user with whatever permissions you choose. The agent never logs in as a real customer and never uses a founder or admin account. If the test user can't reach a feature, neither can the agent.

• Bounded to your app

  Each workspace pins the host the agent is allowed to navigate. Any redirect or link that leaves it stops the run. The agent cannot wander into your payment provider, your support tool, or a page disguised as yours.

• Action guardrails

  Before any action runs, we screen the planned step for things you almost certainly didn't want the agent to do — destructive account changes, billing mutations, and the like. A match aborts the step and surfaces the reason in the transcript.

• Staging by default

  New workspaces point the agent at staging. Production access is opt-in per workspace and requires a second confirmation in settings — one click to enable is not enough.

• Isolated browser sessions

  Every run happens in a sandboxed cloud browser, separate from our own infrastructure. The browser session never shares a host with the systems that hold your data.

• Full observability

  Every run produces a session replay, a step-by-step action transcript, and the list of every network call the agent made. You can audit what happened without asking us.

• Hard runtime budget

  A run that gets stuck, loops, or starts behaving creatively hits a wall and terminates. Resource exhaustion is not an attack surface we want to leave open.

Credentials and secrets

Test account credentials and any access tokens you connect are encrypted before they are stored. They are decrypted only at the moment a job needs them, and they never appear in application logs, session replays, error reports, or support tickets. You can rotate or revoke any credential from settings at any time, and revocation takes effect on the next run.

Data isolation

Each workspace's data is isolated at the storage layer, not just in application code. Queries can only return data belonging to the authenticated workspace. There is no internal “view all customer data” admin interface. When we need to debug a specific issue, we ask you first.

Authentication

Sign-in is handled through trusted OAuth providers. No password ever lives in our database, and we do not roll our own crypto. Sessions are scoped to the workspace they were issued for.

Data in transit and at rest

All traffic is encrypted in transit using modern TLS. Data and backups are encrypted at rest with standard symmetric encryption. There is no unencrypted path between you, us, and storage.

Third-party processors

FixFirstly is built on a small set of established cloud providers for hosting, authentication, payments, email, and the AI components that power classification, clustering, and the reproduction agent. Each provider only receives the slice of data it needs to do its job, and we choose vendors with their own mature security posture. A current list is available on request.

What we don't have yet

FixFirstly is run by a small team. We do not currently hold formal compliance certifications such as SOC 2, ISO 27001, or HIPAA. If your organization requires any of those today, we are likely not the right fit yet. We follow widely accepted secure-development practices internally, but we would rather tell you what we don't have than imply otherwise.

Account deletion and data portability

Email hello@fixfirstly.com to request deletion. We process deletions within 30 days. Your messages and clusters are also available for export through your workspace, so you can take your data with you whenever you want.

Reporting a vulnerability

If you think you've found a security issue, email hello@fixfirstly.com with the subject line “Security report”. We will acknowledge your message and work with you on a fix. Please give us a reasonable window to ship the fix before sharing the issue publicly.

Questions

Anything unclear or missing here — write to hello@fixfirstly.com and we will answer directly.