Your website, untouched
Our embeddable widget runs inside a sandboxed iframe served from a Vectorspace-controlled origin. Because of how browsers enforce the Same-Origin Policy, the widget cannot read your page's DOM, cookies, or local storage—and it cannot make authenticated requests on behalf of your users. Even if a vulnerability were ever discovered inside the widget itself, the browser's isolation model is designed to contain the blast radius to the widget's own origin—sharply limiting what could reach your users or your data.
This is the same widely adopted pattern used by the embedded payment forms and support messengers you already trust on sensitive pages: treat the embedded surface as untrusted by default, and let the browser enforce the boundary.
We layer a strict Content Security Policy, sanitized content rendering, and origin-validated API calls on top of that isolation. None of these are marketing checkboxes—they are regression-tested on every deploy and verifiable from any browser's DevTools.