Manifold does not store any personal information from your end users. We store only the subject (the identifier for the end user provided by the UserInfo endpoint).
Manifold relies on the HTTP referrer to determine which platform is making the request in our auth component.
To enable this security model, you must allow iframes rendered from your own domain. We recommend disabling iframes for all other domains by setting up the X-Content-Security-Policy: frame-ancestors 'self' header.
Manifold encrypts all stored tokens, with a token specific to each end user. These tokens are in turn again encrypted with a master key, which is only accessible to the underlying service which needs access. To learn more, see our blog.