UltrathinkUltrathink
Log inGet started free

Security

Your data is protected with industry-standard security practices.

Security

Ultrathink is built on Google Cloud Platform with multiple layers of protection. This page details the security measures in place to protect your data.

Data encryption

All data is encrypted both at rest and in transit.

At rest: AES-256 encryption is handled automatically by Firestore. This protects against physical theft and unauthorised infrastructure access.

In transit: TLS 1.2+ secures all connections between your browser, the extension, the widget, and Firebase servers. This prevents network interception and man-in-the-middle attacks.

Firebase infrastructure

Ultrathink runs entirely on Google Cloud Platform via Firebase:

  • Firestore for document storage with automatic replication
  • Cloud Functions for serverless processing
  • Firebase Hosting for the web application
  • Firebase Storage for file uploads
  • Firebase Authentication for identity management

This stack provides geographic redundancy, automatic backups, and Google's enterprise-grade security by default. Firebase maintains SOC 1, SOC 2, and ISO 27001 certifications.

Authentication

Authentication is handled through Firebase Authentication with email and password sign-in.

When you sign in:

  • Your password is verified against a secure hash (never stored in plaintext)
  • A session token is issued and stored in your browser
  • The token is validated on every API request
  • Failed login attempts are tracked and rate-limited

Account blocking is available for platform administrators to prevent access if needed.

Email verification

New accounts must verify their email address before accessing the application.

After signing up:

  • A verification email is sent automatically
  • The app polls every 5 seconds to check verification status
  • You can request a new verification email if needed
  • Access is blocked until verification is complete

This prevents fake account creation and ensures we can contact you about your account.

Password requirements

Passwords must meet the following criteria:

  • Minimum 8 characters
  • At least one uppercase letter (A-Z)
  • At least one lowercase letter (a-z)
  • At least one number (0-9)

Additionally, passwords are checked against a list of over 100 commonly used passwords (such as "password123", "qwerty", "admin") and rejected if they match.

The signup form shows real-time strength feedback with colour-coded indicators.

Rate limiting

Two layers of rate limiting protect against abuse.

IP-based limits (authentication):

  • Login: 10 attempts per 15 minutes, then 30-minute block
  • Signup: 5 attempts per hour, then 2-hour block
  • Password reset: 5 attempts per 15 minutes, then 30-minute block

User-based limits (API):

  • Save entry: 60 requests per minute
  • Search: 30 requests per minute
  • AI processing: 20 requests per minute
  • AI Canvas: 20 requests per minute

When rate limited, requests return HTTP 429 with a Retry-After header indicating when access will be restored.

Bot protection

reCAPTCHA v3 runs invisibly in the background during authentication.

Each action (login, signup, password reset) generates a score from 0.0 to 1.0. Requests with scores below 0.5 are rejected as likely bot activity.

Firebase App Check adds a second layer using reCAPTCHA Enterprise to validate that requests come from legitimate app instances, not automated scripts.

Session management

When you sign out, Ultrathink performs a complete cleanup:

  • Local storage is cleared
  • AI Canvas state is reset
  • Cached query data is purged
  • Firebase session is invalidated

This prevents data leakage between accounts on shared devices. The React Query cache is explicitly cleared to ensure no entries from a previous session appear to the next user.

Device key authentication

The browser extension and desktop widget use device keys instead of passwords.

How it works:

  1. Generate a device key in Settings (cryptographically random, 32 bytes)
  2. Copy it to your extension or widget (shown once, then hidden)
  3. The key is hashed with SHA-256 before any network request
  4. Cloud Functions validate the hash and map it to your user account

The full key never leaves your device. Only the hash is transmitted. Keys can be revoked from the web app at any time, immediately blocking access from that device.

Device keys are stored:

  • Extension: Chrome's encrypted local storage
  • Widget: OS-level app data directory (not synced to cloud drives)

Data access rules

Firestore security rules enforce strict access boundaries.

Your data:

  • Only you can read and write your entries
  • You cannot change the owner of an entry after creation
  • Deleting entries requires ownership verification

Organisation data:

  • Members can only read organisation details, not modify them
  • Only admins can update organisation settings or delete the org
  • Org-shared entries can be read by members but not edited

Device keys:

  • Only visible to the owner
  • Cannot be deleted, only revoked (for audit trail)
  • Hash-based lookup prevents enumeration attacks

Rate limiting data:

  • Only accessible by Cloud Functions (Admin SDK)
  • Clients cannot read or manipulate rate limit records

XSS protection

User-generated content is sanitised before rendering.

The notes field supports HTML formatting. When displaying HTML content, DOMPurify strips any potentially dangerous elements (scripts, event handlers, iframes) before rendering.

Plain text content is rendered without HTML interpretation, preventing injection even if malicious markup is pasted.

Input validation

All API inputs are validated server-side.

Length limits:

  • Title: 500 characters
  • Notes: 50,000 characters
  • Content: 50,000 characters
  • URL: 2,000 characters

Type validation:

  • Entry type must match allowed values
  • Visibility must be "private" or "org"
  • URLs are validated for correct format

Invalid requests are rejected with descriptive error messages.

CORS policy

Cross-origin requests are restricted to known sources:

  • Production domains (tryultrathink.com)
  • Firebase hosting domains
  • Development localhost ports
  • Browser extensions (chrome-extension://, moz-extension://)

Requests from unknown origins are blocked.

Payment security

Stripe handles all payment processing. Ultrathink never sees or stores card details.

Protections:

  • Firebase Auth token required for all Stripe endpoints
  • Stripe secret keys stored in Firebase Secret Manager
  • Webhook signatures verified to prevent spoofing
  • Customer metadata tracks organisation for audit

Privacy controls

Your data is yours:

  • No advertising or data resale
  • Entries are private by default
  • Organisation sharing is opt-in per entry

You control visibility: keep entries private or share with your organisation members.

Admin oversight

Platform administrators have access to:

  • User activity monitoring (entry counts, last active)
  • Account blocking with reason logging
  • Feedback review and management
  • Usage analytics across organisations

Blocked users are automatically signed out and cannot sign back in until unblocked.

Questions

For security-related questions or to report a vulnerability, contact chris@tryultrathink.com.