Credential separation
Account login and proxy access use different secrets. Proxy credentials are random, short-lived, validated server-side, and stored only as one-way HMAC hashes — the raw proxy password is never stored.
Security model
What the gateway sees — and what it doesn’t
No guesswork for your security review. Here is exactly what data each path processes, why, and for how long — so you can approve it with confidence.
Data table
Limited technical data, plainly stated
| Data type | Why | Retention | Shared with |
|---|---|---|---|
| Account, verification, billing | While account is active | Auth / email provider | |
| Proxy session ID | Connect, revoke, abuse prevention | 30–90 days | Infrastructure providers |
| Source IP | Security, fraud prevention | 30–90 days | Security providers if used |
| Traffic volume | Limits, billing, capacity | 30 days (usage events) | Payment / accounting providers |
| Destination domain / category | Filtering, abuse prevention | 30 days (blocked events) | Local versioned category list; external vendor only if added later |
| Workspace audit events | Accountable administration | 180 days | Infrastructure providers |
| Page content | Not collected | n/a | n/a |
Abuse resistance
Free access is intentionally limited. The gateway applies rate limits, category rules, session caps, restricted ports, and blocks private/internal network ranges. Requests are signed with a device key.
Two paths, two levels of visibility
BusinessProxy has two access paths, and they don't see the same things. We state this plainly.
| Browser-proxy path (Layer 1) | Alias / reverse-proxy path (Layer 2) |
|---|---|
| Does not inspect HTTPS content | Is a Layer-7 reverse proxy |
| Sees domain and network metadata | Sees HTTP method, path and headers |
| Filtering by domain/category only | Processes L7 metadata for routing, policy, audit |
If you route an internal app through the alias path, you should know it operates at Layer 7. That's a deliberate disclosure, not a footnote.