Security

DocQA is built with security as a first-class concern. The widget code is fully open source and auditable by anyone.

Open Source Transparency

License: Apache 2.0 — commercial-friendly; free to use, modify, and distribute
Source code: github.com/sutaiyi/docqa-chat-widget
Every line of code is publicly reviewable — no obfuscation, no hidden logic

The widget runs inside the browser's Shadow DOM, fully isolated from the host page:

Cannot access host DOM — the widget cannot read or modify your page content
Cannot access cookies — the widget cannot read the host page's cookies
Cannot access storage — the widget cannot access localStorage or sessionStorage
Style isolation — widget styles do not affect the host page, and vice versa

This means that even though the widget script is loaded on your page, it cannot access any sensitive data on the host page.

All conversation data is stored in the user's browser IndexedDB
The backend stores no conversation data — the server only handles real-time requests and does not persist chat history
Conversations are deleted when the user clears browser data
Zero data breach risk: there is no conversation data on the server to leak

The widget contains zero third-party tracking scripts (no Google Analytics, no Facebook Pixel, etc.)
No user fingerprinting
No data sent to any third-party service

Security Feature	Description
Open Source	Apache 2.0; anyone can audit the code
Shadow DOM	Script isolation; cannot access host page data
Local Storage	Conversations stored only in browser IndexedDB
Domain Whitelist	Prevents unauthorized usage
No Tracking	Zero third-party tracking scripts

Found a security issue?

If you discover a vulnerability, please report it via GitHub Issues.