Manifold does not store any personal information from your end users. We store only the subject (the identifier for the end user provided by the UserInfo endpoint).
Manifold relies on the HTTP referrer to determine which platform is making the request in our auth component.
We recommend that you set a Content Security Policy header that includes a
frame-src directive which specifies our authentication service domain:
Manifold encrypts all stored tokens, with a token specific to each end user. These tokens are in turn again encrypted with a master key, which is only accessible to the underlying service which needs access. To learn more, see our blog.