Skip to content
Security & Trust

Powerful, because it’s careful.

An agent that reads pages and acts on the web has to earn trust first. Consent, grounding, and privacy are foundations of Intellisper — not features bolted on later. Here is exactly how that works.

You approve every consequential action

The agent proposes; you decide. Anything irreversible pauses for your explicit approval before it runs.

  • Submitting forms, sending, and other consequential actions always show a confirmation card first — nothing irreversible runs without your “Approve”.
  • Reversible actions (typing, scrolling, selecting) run as part of a task you can watch in a live action log.
  • You can reject a proposed action at any point and the agent continues without it.

Answers are grounded and cited

The agent answers from what is actually on the page or in the sources it read — with citations you can trace.

  • Page answers are built from a distilled, accessibility-first view of the page — not a guess.
  • Research reports use numbered citations that point back to the exact sources.
  • When the agent does not have enough to answer, it says so instead of inventing.

Page content is treated as data, never commands

A web page cannot hijack your agent. Content the agent reads is handled strictly as information to reason over.

  • Text from pages, documents, and fetched sources is wrapped as untrusted data before the agent reasons over it.
  • Instructions hidden inside a page (“ignore your instructions and…”) are not obeyed — they are treated as content.
  • This boundary is applied everywhere the agent takes in outside content: pages, PDFs, attached files, and research sources.

Memory is private, scoped to you, and refuses secrets

What the agent remembers belongs to you alone — and it will not store the things that should never be stored.

  • Every remembered fact is scoped strictly to your account; memory is never shared across users.
  • The agent refuses to save passwords, card numbers, and other secret-like content to memory.
  • You can search, review, and permanently forget any remembered fact at any time.
  • Automatic memory capture is on by default and can be turned off with a single switch.

Sensitive fields are protected

The agent will not silently read or fill the inputs that carry your most sensitive information.

  • Password and payment-type fields are not read into the agent’s view of the page.
  • The agent refuses to fill sensitive fields on your behalf.
  • Your sign-in to Intellisper uses session tokens — model provider keys never live in the client.

Web research is guarded

When the agent fetches a public page for research, it is fenced off from anything it should not reach.

  • Server-side fetching is guarded against reaching private, internal, or loopback network addresses (SSRF protection).
  • That guard is re-checked across redirects, and fetched content is size- and time-bounded.
  • Only public web content is fetched this way; anything needing your logged-in session runs in your own browser, under your control.
Least privilege

The permission model, in plain language

The extension asks for the minimum it needs, and requests more only at the moment a capability calls for it.

Acts on the page only when you ask

The agent reads or acts on the current page on demand — when you start a task — rather than watching every page you visit in the background.

Broad web access is opt-in

Reading across the wider web for research is requested from you explicitly, with a clear prompt, and only when a task needs it.

No keys on your device

The agent’s model access lives server-side. The extension holds only your session tokens, kept in the browser’s extension storage.

Least-privilege by default

The extension requests the minimum it needs to function, and asks for more only at the moment a capability requires it.

Built to stay in bounds

Protections that run quietly in the background

Guardrails that keep the service safe, predictable, and resilient — without you ever having to think about them.

Runaway-loop protection

Each task is bounded by step and cost ceilings, so an agent run cannot spin indefinitely. A separate per-account usage budget guards against runaway usage across many runs.

Rate limiting

Requests that spend resources are rate-limited per account, so the service stays responsive and abuse is contained.

Resilient by design

Tasks are saved as they progress, so a run survives closing and reopening the panel — and you never see raw errors, only a calm, human message.

Straight answers

What security-minded people ask us

No hedging — here is how the agent actually behaves.

Does the agent watch everything I browse?

No. The agent reads or acts on a page only when you start a task that needs it. It is not a background tracker of your browsing.

Where does the work happen?

Understanding, research, and reasoning happen server-side; actions that need your logged-in session happen in your own browser, on the page in front of you, and only with your approval for anything consequential.

Can a malicious page take control of the agent?

A page can present content, but it cannot issue commands to your agent. Everything the agent reads from a page is treated as untrusted data, and instructions embedded in page content are not followed.

What will the agent never store in memory?

Passwords, payment card numbers, and other secret-like content are refused. Memory is meant for durable facts about your preferences, projects, and context — not credentials.

Can I delete what the agent remembers?

Yes. You can search your memory, remove any individual fact, and turn automatic capture off entirely from the extension.

Is the agent free to start?

Yes — you can start on the free tier with no card. Usage is bounded by sensible per-account limits that scale with your plan.

Control you can feel, from the first task.

Install the extension and run your first task in under a minute. Free to start.

Get the extensionRead the privacy policy