Security
1. Zero-Server Architecture
AI Supreme Council is designed with a fundamentally different security model than traditional SaaS applications. There is no backend server processing your conversations. The entire application runs in your browser.
- No conversation relay: Your messages are sent directly from your browser to each AI provider's API (Anthropic, OpenAI, xAI, Google, etc.). Our servers never see, process, or store the content of your conversations.
- No server-side storage: We do not operate databases containing user conversations, bot configurations, or chat histories. All of this lives in your browser.
- Static hosting: Our web application is served as static files from Cloudflare Pages. There is no application server, no API backend, and no database to breach.
2. Browser-Side Storage
All user data is stored locally in your browser using standard web storage APIs:
| Storage | Data | Purpose |
|---|---|---|
| localStorage | Theme, API keys, user session | Sync reads at boot |
| IndexedDB | Bots, chat histories, addons | Large data, no size limit |
| OPFS (optional) | WASM modules, large binary data | Concurrent access, SQLite |
This data never leaves your device unless you explicitly export it or share a bot via URL. Clearing your browser data removes all application data permanently.
3. API Key Handling
Your API keys are the most sensitive data in the application. Here is how they are handled:
- Storage: API keys are stored in your browser's localStorage under keys like
ais-apikey-anthropic,ais-apikey-openai, etc. They are never sent to our servers. - Transmission: Keys are sent directly from your browser to the AI provider's API endpoint over HTTPS. The connection is between your browser and the provider — we are not in the path.
- URL safety: API keys are never included in bot sharing URLs. The URL encoding system explicitly excludes keys from the shareable configuration.
- No logging: We do not log, intercept, or have any mechanism to access your API keys.
Recommendation: Use provider-specific API keys with the minimum required permissions. If you suspect a key has been compromised, revoke it immediately through the provider's dashboard.
4. Encryption in Transit
- All connections to aiscouncil.com and bcz.co use HTTPS with TLS 1.2+ encryption
- HSTS (HTTP Strict Transport Security) is enabled to prevent downgrade attacks
- All connections from your browser to AI provider APIs use HTTPS
- URL fragments (the
#portion used for bot sharing) are never sent to servers by browsers — this is a fundamental property of how URLs work
5. Payment Security
We do not handle payment card data directly. All payment processing is delegated to trusted, certified processors:
- Stripe: PCI DSS Level 1 compliant. Card numbers and payment details are collected and processed entirely by Stripe's infrastructure.
- PayPal: PCI DSS Level 1 compliant. Payment is handled through PayPal's secure payment flow.
We receive only a payment confirmation token and subscription status. We never see, store, or process your credit card number, CVV, or banking details.
6. Authentication
We use industry-standard OAuth 2.0 and OpenID Connect (OIDC) protocols for authentication:
| Provider | Protocol |
|---|---|
| OAuth 2.0 / OIDC | |
| Apple | Sign in with Apple (OIDC) |
| GitHub | OAuth 2.0 |
| OAuth 2.0 | |
| OAuth 2.0 |
- Session tokens: JWT (JSON Web Tokens) signed with HS256, with a 24-hour expiry
- No password storage: We never receive, store, or manage passwords. Authentication is fully delegated to identity providers.
- Guest mode: Available for users who prefer not to authenticate. Guest mode provides access to core features without any account data.
7. Infrastructure
- Hosting: Cloudflare Pages — a static hosting platform with no server-side code execution
- DDoS protection: Cloudflare's enterprise-grade DDoS mitigation is active by default
- WAF: Cloudflare's Web Application Firewall protects against common web attacks
- DNS: Cloudflare DNS with DNSSEC enabled
- CDN: Global content delivery via Cloudflare's 300+ data center network
8. What We Do Not Do
- No analytics services (no Google Analytics, no Mixpanel, no Amplitude)
- No tracking pixels or advertising beacons
- No cross-site tracking cookies
- No fingerprinting or device identification
- No server-side logging of user activity beyond standard Cloudflare CDN access logs
- No data sales or sharing with advertisers
9. Vulnerability Reporting
We take security seriously and appreciate responsible disclosure. If you discover a security vulnerability in AI Supreme Council, please report it to:
Email: [email protected]
What to Include
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Any proof-of-concept code or screenshots
Our Commitment
- We will acknowledge receipt within 24 hours
- We will provide an initial assessment within 72 hours
- We will work with you to understand and resolve the issue
- We will credit you in our security acknowledgments (unless you prefer to remain anonymous)
- We will not take legal action against researchers acting in good faith
Scope
The following are in scope for security reports:
- aiscouncil.com and all subdomains
- bcz.co and all subdomains
- The browser application (index.html, s/index.html)
- The Chrome extension
- Community-maintained code at github.com/aiscouncil
Third-party services (Anthropic, OpenAI, xAI, Google, etc.) are out of scope. Please report vulnerabilities in those services directly to the respective provider.
10. Security Updates
Since AI Supreme Council is a browser application served from a CDN, security updates are deployed instantly — every page load gets the latest version. There are no update mechanisms to manage, no patches to install, and no version fragmentation.