openwrap is built around executable HTML, so the security model has to be explicit. This page summarizes the current isolation model, sharing controls, and the boundaries you should assume during early access.
Published wraps do not run inside the main app shell as ordinary app UI. They render through a dedicated viewer and share surface designed to isolate the wrap from the rest of the product. The WRAP format also carries a manifest and security tier so a viewer can make explicit decisions about what the document is allowed to do.
That model reduces risk, but it does not make arbitrary web content risk-free. Treat openwrap as a product with meaningful safeguards, not as a promise that every conceivable browser-side risk disappears.
Account-backed projects can be shared in several ways, including stricter modes than a plain unlisted link. Current access paths include revocable link tokens, email allowlists, domain allowlists, org-scoped access, and member-only access. Custom slugs and managed share settings live with saved projects in the app.
Anonymous single-file publishes are simple on purpose: they create an unlisted share link. If you need tighter control, move the work into a saved project and manage it from the workspace.
Traffic to the product and share surfaces uses HTTPS. Uploaded files, published artifacts, project metadata, access lists, and session state are stored server-side so the product can deliver links, collaboration, and access enforcement.
Project secrets are intended to stay server-side and are not exposed back as plaintext values through normal product flows. That said, early access is not the stage where we claim enterprise-grade assurance or a full compliance perimeter.
Practical rule: if the workflow needs a formal security review, treat this page as a starting point, not the final answer.
We use rate limits, access controls, and activity records to reduce abuse and investigate incidents. We may remove content or restrict accounts that threaten users, infrastructure, or compliance.
If you find a security issue, use the support page or email security@openwrap.ai.