Security

How Veridex protects your data and provides transparent, privacy-first phishing risk analysis.

Last Updated: February 2026·Applies to: Veridex extension v1.9.1.0 and later

1. Security Overview

Veridex is a Chrome browser extension that provides phishing risk indicators and analysis results for Gmail and Outlook Web only (mail.google.com, outlook.office.com, outlook.live.com). It does not run on or access any other websites. It is designed to help you make informed decisions about suspicious emails.

What Veridex Is

Advisory-only: Veridex provides guidance and risk indicators—it does not block, quarantine, delete, or prevent any user actions
Two protection levels: Basic Protection runs entirely on-device (instant threat checks, no email content transmitted). Smart AI Auto-Protection is opt-in (default off) in the extension's Protect tab; when enabled, opened emails may be securely transmitted for AI threat detection to show the toolbar badge.
Risk indicator: The toolbar green/yellow/red badge uses backend AI only if you have opted in to Smart AI Auto-Protection; otherwise the badge is based on local checks only. Red (high risk) is shown only when Tier-1 deception indicators fire (e.g. reply-to mismatch, link masking, suspicious attachments). When Tier-1 does not fire, a separate soft scam signals layer can show yellow (medium) for patterns such as certified-check + third-party pickup; this layer never sets red. Manual "Analyze with Veridex" is always user-initiated and sends content only when you click it.
Deeper analysis: The "Analyze" feature sends email content to our backend only when you click it; results are shown in the popup
Privacy-first: Email content is never stored locally or in our backend; it is processed in memory and discarded. All extension code is bundled in the package—we do not load or execute code from the internet (no remote scripts)

What Veridex Is Not

Not an enforcement tool: Veridex cannot and does not block emails, prevent clicks, or quarantine messages
Not a guarantee: No detection system can identify all threats—Veridex provides indicators, not certainties
Not a replacement for caution: Users must still exercise judgment, especially for sensitive actions like financial transactions

Important: Veridex helps inform your decisions, but the final decision is always yours. Always verify sensitive requests through known, trusted channels.

2. System Architecture & Data Flow

Veridex uses a layered architecture designed to maximize privacy while providing effective phishing detection.

Extension Components

Content Script: Runs only on Gmail and Outlook Web pages to extract email content for the toolbar indicator and for manual analysis

Background/Service Worker: Coordinates analysis, manages state, and handles communication

Popup UI: Displays risk indicators and analysis results to the user

Analysis Flow

Email Extraction: Content script extracts email content (subject, body, sender, recipients, URLs, attachment metadata) from the email client DOM

Local Signal Detection: Tier-1 hard flags (reply-to mismatch, link masking, URL obfuscation, suspicious attachments) and Tier-1 soft scam signals (marketplace/payment/pickup patterns) plus Tier-2 (contextual signals) run entirely client-side. All text used for heuristics is kept in memory only and is never stored or logged.

Risk Assessment: Only Tier-1 hard flags can produce HIGH (red). Tier-1 soft scam signals can produce MEDIUM (yellow) when multiple pattern families are present; they never set HIGH. Tier-2 signals inform LOW/MEDIUM decisions. When AI is unavailable, soft scam MEDIUM can still drive the badge to yellow.

Backend analysis (toolbar & manual): If you have enabled Smart AI Auto-Protection in the Protect tab, a truncated copy of opened emails may be sent for the toolbar badge. When you click "Analyze with Veridex," the extracted email is sent to the backend. The backend uses a secure proxy for optional AI/LLM analysis and returns structured results; email content is not stored.

Response Validation: Backend returns structured JSON; the extension validates the response against a strict schema before displaying results

Display Results: Validated results are shown in the popup UI; email content is discarded from memory

3. Data Handling & Privacy Principles

No Email Storage

Email content (subject, body, sender address, recipient addresses, URLs, and attachment metadata) is processed ephemerally in memory only. This includes all heuristic and pattern-matching logic (e.g. Tier-1 hard flags and soft scam signals such as payment and pickup patterns); no email content is written to disk, logs, or telemetry at any stage.

Email content is never:

Written to disk
Saved to logs
Stored in any database
Included in telemetry or analytics
Used for model training

After analysis completes, email content is immediately discarded from memory.

Local Storage Contents

The extension uses chrome.storage.local only for non-content metadata:

Relationship data: Sender email addresses and interaction counts; sender domains and pairs (max 1,000 senders, 1,000 pairs, 500 domains, with LRU eviction)
Thread state: Email thread identifiers and analysis states
Metrics: Aggregated statistics (scanned, flagged, paused, marked safe, reported) and scan performance metrics
Settings: Extension enabled/disabled state, risk thresholds, LLM analysis preferences
Protect tab: First-time setup completed flag, Smart AI Auto-Protection on/off (auto_scan_enabled), and—when you enable Smart AI—policy consent record (consented_at, policy_version, extension_version); consent is not deleted if you later turn the feature off
Device token: Locally generated identifier for backend authentication and analytics

Never stored locally: Email body, subject lines, sender or recipient addresses as message content, URLs, or attachment content. Only metadata (addresses/counts for relationship context) is stored.

Telemetry

Veridex collects minimal, privacy-safe telemetry for operational analytics.

What Is Collected

Counters (e.g., scans completed)
Enumerated values (e.g., risk band)
Timing metrics (e.g., latency)
Anonymized device token
View correlation IDs

What Is Excluded

Email body
Email subject
Sender address
Recipient addresses
URLs from emails
Attachments or raw content

Backend enforces allow-listed event types and keys; unknown or free-text fields are rejected. Events are stored in a rolling buffer with rotation and caps.

See Privacy Policy for full details.

4. AI Usage & Protections

When Backend / AI Is Used

Email content is sent to our backend in two situations: (1) Toolbar indicator: only when you have opted in to Smart AI Auto-Protection in the extension's Protect tab (default is off); when enabled, opening an email in Gmail or Outlook may send a truncated copy to show the green/yellow/red badge; (2) Manual "Analyze with Veridex": when you click that button, the extracted email is sent for full analysis. AI-assisted analysis is optional and runs via our backend proxy; the backend sends a sanitized/preprocessed version to a third-party LLM and returns strictly validated JSON. Email content is not stored on our servers.

What Is Sent

Sanitized/preprocessed email content
Extracted detection signals

What Is Not Sent

Secrets or credentials
Unnecessary metadata
User account information

Prompt-Injection Protections

The backend treats email content as untrusted/hostile data and implements multiple layers of protection:

Role separation: System-level safety instructions, developer constraints, and user message (containing only delimited email content) are strictly separated
Strict delimiters: Email content is clearly delimited to prevent prompt escape
Output contract: JSON only, exact keys required, no extra keys permitted, size limits per field
Server-side validation: Malformed output or instruction-like markers are rejected

Fail-Safe Behavior

If AI output is invalid, malformed, or unavailable (due to rate limits, timeouts, or errors), Veridex does not default to "safe." Instead, it recommends review and/or applies deterministic high-risk logic when applicable signals are present.

5. Security Controls

5.1 Input Validation & Abuse Prevention

Content-type checks: Requests must have correct content-type headers
Required fields: All required fields are validated before processing
Unknown key rejection: Unexpected fields in requests are rejected
Size limits: Hard limits on payload size prevent abuse
Rate limiting: Requests are rate-limited per device token and per IP address

5.2 Output Validation & Fail-Safe Defaults

Strict schema: All responses must conform to the expected JSON schema
Invalid output rejection: Malformed or non-conforming responses are rejected
Safe fallback: When AI is unavailable or returns invalid output, the system recommends review rather than indicating no risk

5.3 Data Minimization & Retention

Minimal telemetry: Only counters, enums, and timing metrics are collected
Rolling retention: Telemetry is stored in a rolling buffer with rotation and caps
No email content persistence: Email content is never written to any persistent storage

5.4 Operational Security

Security headers: X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy: no-referrer
No-store caching: Cache-Control: no-store prevents caching of sensitive responses
No payload logging: Sensitive request/response payloads are not logged
Server-side secrets: API keys and credentials remain server-side; they are never shipped to the client
Extension updates: The extension uses a versioned storage schema; updates add only missing defaults and run compatibility migrations—your existing local data is not overwritten or deleted when you update
No remote code: All extension logic is bundled in the extension package. We do not load or execute JavaScript or other code from the internet; there is no eval of remote content or dynamic script loading from external URLs

6. Known Limitations

Veridex provides helpful risk indicators, but no security tool is perfect. Users should be aware of the following limitations:

False positives: Legitimate emails may sometimes be flagged as potentially suspicious due to overlapping characteristics with phishing emails
False negatives: Some phishing emails may not trigger risk indicators, especially novel or highly sophisticated attacks
Novel attacks: New attack techniques that do not match known patterns may evade detection
Email client changes: Updates to Gmail or Outlook Web DOM structure may temporarily affect email extraction until the extension is updated
AI availability: AI-assisted analysis may be temporarily unavailable due to rate limits, timeouts, or service disruptions
User verification required: For any sensitive action (financial transactions, credential changes, etc.), users must independently verify requests through known, trusted channels

7. Responsible Use

Veridex helps inform your decisions, but security is a shared responsibility. Follow these best practices:

✓Verify payment and account changes: Always confirm payment details, invoice changes, or bank account updates through a known, trusted channel (phone call to a verified number, in-person confirmation)
✓Never share credentials or MFA codes: Legitimate organizations will not ask for your password or multi-factor authentication codes via email
✓Navigate to sites manually: Instead of clicking email links, type the official website URL directly into your browser
✓Be cautious of urgency and secrecy: Requests demanding immediate action or asking you to keep something secret are common phishing tactics

8. Responsible Disclosure

Veridex welcomes good-faith security research. If you believe you have discovered a vulnerability in Veridex, we encourage you to report it so we can investigate and address it.

How to Report a Vulnerability

Send your report to support@veridexhq.com. Please use a clear subject line indicating it is a security report.

We review all reports and will acknowledge receipt. Due to limited resources, we cannot commit to specific response timelines, but we take all reports seriously and will investigate promptly.

What to Include in Your Report

A clear description of the vulnerability and its potential impact
Steps to reproduce the issue, including any tools or configurations used
The affected component (extension, backend, website) and version if known
Any proof-of-concept code or screenshots that demonstrate the issue
Your contact information for follow-up questions

Good-Faith Expectations

We ask that security researchers act in good faith:

Do not access, modify, or exfiltrate data belonging to other users
Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
Do not perform actions that could degrade service availability for other users
Do not publicly disclose the vulnerability before we have had reasonable time to investigate and remediate
Do not include real user data in reports—Veridex does not store email content, so such data would have been obtained improperly

What Researchers Can Expect

We will acknowledge receipt of your report
We will investigate the reported issue and keep you informed of significant developments when feasible
We may, at our discretion, publicly acknowledge researchers who report valid vulnerabilities (with your permission)
We do not currently offer monetary rewards or bug bounties

Safe Harbor

We consider good-faith security research conducted in accordance with this policy to be authorized. We will not pursue legal action against researchers who discover and report vulnerabilities responsibly, provided they adhere to the expectations outlined above, do not access or harm user data, and do not disrupt our services. If you are uncertain whether your research complies with this policy, please contact us at support@veridexhq.com before proceeding.

9. Reporting & Contact

Security Vulnerabilities

Report security vulnerabilities:

support@veridexhq.com

See Responsible Disclosure for guidelines.

General Support

For general questions and support:

support@veridexhq.com

For legal terms, see Terms of Service. For privacy details, see Privacy Policy.

Last Updated: February 2026

Applies to: Veridex extension v1.9.1.0 and later

← Back to Home