<- Back to homepage

Built for security teams

EU-hosted infrastructure with origin validation, zero PII collection, and customer-controlled access revocation.

EU-hosted data residency

Origin validation + domain allowlist

No PII capture

What Stepsy provides

Origin allowlist enforced server-side—guides only load on approved domains
Tenant public key validation on every API request (403 on mismatch)
EU data residency (Frankfurt) with GDPR compliance and DPA available
No PII required—recorder captures CSS selectors and guide text only
10 KB vanilla TypeScript SDK, no eval(), no third-party dependencies

What you control

Per-guide domain allowlist: specify exactly which domains can load each guide
Version pinning: lock SDK to specific release with SRI hash verification
CSP enforcement: restrict script-src and connect-src to Stepsy domains only
Network monitoring: SDK only contacts cdn.stepsy.cc and api.stepsy.cc

Recommended CSP policy (you implement)

Content-Security-Policy:
  script-src 'self' https://cdn.stepsy.cc;
  connect-src 'self' https://api.stepsy.cc;