Muzli Security Questionnaire
Vendor Security Assessment — last updated May 2026
Vendor Security Assessment
Muzli Security Questionnaire
Last updated: May 2026
Muzli (muz.li)
security@muz.li
About this document
This questionnaire covers the security, privacy, and compliance posture of the Muzli browser extension and web platform. It is intended to assist enterprise procurement and security teams with vendor assessment. Answers reflect Muzli's current state as of the date above.
For questions not covered here or to request additional documentation, contact security@muz.li.
1. Data Collection & Privacy
Does Muzli collect or transmit any data from websites the user visits?
No Muzli operates exclusively on the browser's new tab page. The extension does not inject code into, read content from, or monitor any website the user visits. No browsing history, page content, form data, or URL data is collected or transmitted.
What personal data does Muzli collect?
Limited When a user creates an account, Muzli collects: name, email address, and profile picture — provided via Google OAuth. Anonymous usage events (e.g., content clicks) are collected for product analytics. No financial data, health data, or sensitive personal categories are collected.
Does Muzli sell personal data to third parties?
No Muzli does not sell, rent, or trade personal data to any third party.
Can users request deletion of their data?
Yes Users can request account and data deletion at any time via the account settings page (/remove-account) or by contacting support. Deletion is processed within 30 days.
What data is retained after account deletion?
Limited Aggregated, anonymized analytics data may be retained. No personally identifiable information is retained after account deletion and the deletion period has elapsed.
2. Browser Extension Permissions
What browser permissions does the Muzli extension request?
Scoped The extension requests permission to override the new tab page (
chrome_url_overrides), access to storage (for user preferences), and network access to fetch content from Muzli servers. It does not request access to tabs, history, cookies, webRequest, or any other page-level permission. Can Muzli read content from pages the user has open?
No The extension has no content script injected into any page other than the new tab override. It cannot read, modify, or interact with any other browser tab or window.
Is the extension published on the official browser store?
Yes The extension is published on the Chrome Web Store (covering all Chromium-based browsers: Chrome, Edge, Brave, Opera, Vivaldi, Arc, and others) and the Microsoft Edge Add-ons store. Safari support is available with limited functionality via the Mac App Store. Firefox support is experimental. All updates go through each store's review process before being distributed to users.
Can Muzli be deployed to all devices in a managed environment?
Yes IT administrators can force-install or whitelist the Muzli extension across all managed devices using Chrome Enterprise managed browser policy (via Google Admin Console or Group Policy / Intune) for all Chromium-based browsers. The extension ID is available on request.
3. Identity & Access Management
What authentication methods does Muzli support?
OAuth + OTP Muzli supports four authentication methods — none of which store a password:
- Google OAuth 2.0 — sign in with an existing Google account.
- Twitter OAuth — sign in with an existing Twitter/X account.
- Facebook OAuth — sign in with an existing Facebook account.
- Email OTP — passwordless sign-in; a one-time code is sent to the user's email address. No password is created or stored by Muzli.
Does Muzli support enterprise SSO / SAML 2.0?
Not currently Enterprise SAML 2.0 SSO is not currently supported. Authentication is via Google, Twitter, Facebook OAuth, or email OTP. Organizations using Google Workspace can standardize on Google sign-in across their team.
Does Muzli support SCIM provisioning?
Not currently SCIM automatic user provisioning and deprovisioning is not currently supported.
Is multi-factor authentication (MFA) supported?
Inherited / Built-in For OAuth methods (Google, Twitter, Facebook), MFA is inherited from the provider — if a user's Google Workspace admin enforces MFA, it applies to Muzli sign-in automatically. Email OTP is inherently a second-factor-equivalent flow as it requires access to the user's email inbox at each sign-in.
4. Data Security & Infrastructure
Where is Muzli data stored?
US only All user data is stored in Amazon Web Services (AWS) in the us-east-1 region (Northern Virginia, United States). No EU or other regional data residency is currently offered.
Is data encrypted at rest and in transit?
Yes Data in transit is encrypted using TLS 1.2+. Data at rest is encrypted using AWS default server-side encryption (AES-256) on all storage services.
What cloud providers does Muzli use?
AWS + Google Primary infrastructure runs on Amazon Web Services (AWS). Authentication is handled via Google OAuth (Google Cloud). A full sub-processor list is available on request at security@muz.li.
Does Muzli have a business continuity / disaster recovery plan?
Yes — informal Muzli operates on AWS managed services with automated backups. A formal, documented BCP/DRP is not currently in place. Enterprise plans include a 99.99% uptime SLA.
5. Compliance & Governance
Is Muzli GDPR compliant?
Yes Muzli operates in compliance with GDPR requirements: lawful basis for data processing is established (legitimate interest and consent), users have rights to access, deletion, and portability of their data, and data is not sold to third parties. A Data Processing Agreement (DPA) can be discussed for enterprise customers — contact security@muz.li.
Is Muzli CCPA compliant?
Yes Muzli does not sell personal data of California residents. Users have the right to know what data is collected, request deletion, and opt out of any future data sale (none occurs).
Is Muzli SOC 2 certified?
Not currently Muzli has not undergone a SOC 2 audit. We are happy to answer security questions directly and provide architecture documentation to assist your team's assessment.
Is Muzli ISO 27001 certified?
Not currently Muzli does not hold ISO 27001 certification.
Does Muzli have a vulnerability disclosure / bug bounty program?
Contact us A formal bug bounty program is not in place. Security researchers can responsibly disclose vulnerabilities by contacting security@muz.li. We commit to acknowledging reports within 5 business days.
6. Incident Response
Does Muzli have an incident response process?
Yes — informal Muzli has an internal incident response process for security events. Enterprise customers will be notified within 72 hours of any confirmed data breach involving their users' data, consistent with GDPR Article 33 obligations.
How do I report a security incident involving Muzli?
Contact us Report security incidents to security@muz.li. Include a description of the issue, affected accounts if known, and any evidence. We will acknowledge within 1 business day.