Solidroad Chrome Extension

Last updated: December 30, 2025

Security, Privacy & Data Handling Overview

Who this is for

This document is designed for:

  • Security & Compliance teams evaluating risk and controls

  • IT / Workspace admins reviewing permissions and deployment

  • Privacy teams reviewing data categories and user consent

  • End users who want to understand what is recorded and how to stay safe

1) What the extension does

The Solidroad Chrome Extension lets a user intentionally record a browser-based workflow (clicks, navigation, and typed input) so Solidroad can turn it into interactive guides and training simulations.

  • Recording is always user-initiated.

  • Recording can be stopped at any time.

  • Data is synced to Solidroad only while recording is active.

Typical use cases

  • Documenting internal tools and processes

  • Creating enablement or onboarding walkthroughs

  • Building interactive training and simulations for teams

2) Key privacy & security principles

User control and transparency

  • Opt-in recording only: recording begins only when the user clicks “Start Recording.”

  • Clear indicators: the extension shows visible “recording is on” UI (e.g., banner / icon state).

  • Stop anytime: users can stop recording immediately from the extension UI.

Data minimization

  • The extension captures structured events needed to reproduce a workflow (not continuous video).

  • It does not collect browser history, bookmarks, files, or data from other apps.

Secure transmission

  • Data is transmitted only over HTTPS (TLS 1.2+) to Solidroad services.

  • Authentication is handled using OAuth + JWT.

3) Permissions (what we request and why)

Solidroad requests Chrome permissions required to record interactions and securely sync them to the Solidroad platform.

Required Chrome permissions

  1. tabs – to identify the active tab being recorded

  2. activeTab – to access the current tab only after a user action

  3. scripting – to inject recording code into the page

  4. storage – to store sign-in state and recording state locally

  5. notifications – reserved for optional notifications (not currently used)

Host permissions

  • http:/// and https://*/
    These host permissions allow recording on any site a user chooses to document.

Important: host permissions enable capability, but recording happens only on the tab where the user starts recording.

4) What data is collected during a recording

When recording is active, the extension collects:

Interaction events (for replay)

  • Clicks and UI interactions

  • Navigation events

  • Scroll events

  • Typed input in form fields (see “Sensitive data handling” below)

  • DOM change events needed to accurately reproduce a workflow

Page context

  • Page URL and domain

  • Visual/page state needed for replay accuracy

Recording metadata

  • Recording name (entered by the user)

  • Start/stop timestamps and duration

  • Internal recording identifiers (e.g., flow ID)

5) What we do not collect

The extension does not collect:

  • Passwords or sensitive form fields when masking is enabled (see below)

  • Data from other browser tabs

  • Browser history or bookmarks

  • Files on the user’s device or downloads

  • Data from other applications

  • Any recording when the user is not actively recording

6) Sensitive data handling (recommended controls)

Typed input can be captured as part of workflow replay. Customers typically handle this in two ways:

Built-in masking options

The underlying recording approach (rrweb) supports masking sensitive inputs (e.g., passwords and specified selectors/fields).
Recommended customer policy:

  • Always mask password fields

  • Mask or exclude fields likely to contain secrets (tokens, SSNs, payment info, etc.)

  • Avoid recording workflows that include highly sensitive screens unless required

End-user guidance (best practice)

Users should avoid recording workflows that include:

  • Password entry (even if masked, avoid when possible)

  • Payment card details

  • Government IDs, health data, or other special-category personal data

  • API keys, access tokens, secret values

7) Local storage on the device

The extension stores limited data locally using chrome.storage.local:

Stored locally

  • Authentication token (JWT) used for API access

  • Basic user profile for UI display (e.g., name/email)

  • Recording state (status, flow ID, event queue) while a recording is in progress

Security properties

  • Stored within the user’s Chrome profile using Chrome’s extension storage protections.

  • Local authentication data is removed on sign-out.

  • Recording state is cleared after successful upload or cancellation.

8) Data transmission and APIs (high level)

The extension communicates with Solidroad servers over HTTPS.

Authentication flow

  • User signs in via Solidroad using OAuth

  • The extension receives a JWT token to call Solidroad APIs

Recording sync behavior

  • During recording, events are synced periodically (e.g., every ~5 seconds)

  • When the user stops recording, the final batch is uploaded

  • When not recording, the extension does not transmit recording data

Data format

  • Events are transmitted as structured JSON events

  • Events are compressed to reduce payload size

  • This is not raw video capture

9) Security controls

Authentication & authorization

  • OAuth-based sign-in and scoped session tokens (JWT)

  • Recordings are associated with the authenticated user and workspace

Transport security

  • HTTPS-only communication (TLS 1.2+)

Extension security posture

  • Chrome Extension Manifest V3 security model

  • No external scripts loaded from CDNs

  • Content Security Policy aligned to Chrome requirements

  • Recording scripts run in isolated extension contexts

Operational logging

  • API requests and key actions (auth events, start/stop recording) are logged on the backend for auditability

10) Cross-origin and iframe behavior

  • The extension respects standard browser security boundaries.

  • Cross-origin iframes may be unrecordable due to browser restrictions.

  • The extension does not attempt to bypass browser security controls.

11) Data retention and deletion

  • Recording data retention is governed by Solidroad’s retention policies and the customer’s configuration (where applicable).

  • Users can delete recordings from within the Solidroad web interface (subject to permissions and policy).

12) Support & security contact

For security questions, deployment guidance, or to report a vulnerability:

  • Email security@solidroad.com with all relevant information

  • Contact your Solidroad representative or support channel

  • Follow your organization’s security reporting process