Skip to content
Pixbots

Security

Security at Pixbots

Our products run in healthcare imaging and IT operations contexts. We treat security as a baseline, not a feature. This page describes the controls we apply across the website, the contact pipeline, and our products.

Last reviewed: April 2026.

Data we handle, data we do not

PixelPACS and patient data. Pixbots does not access, store, or retain any patient data or medical images for healthcare deployments. All patient information remains under the control of the client organization, governed by the separate institutional or partner agreement that covers PixelPACS use.

Personal data on this website. The pixbots.com website collects only the information you choose to provide through the contact form (name, email, optional company, and message body), plus standard request metadata such as IP and user agent. We do not run third-party analytics or advertising trackers on this site.

Product telemetry. Each product (LynxTrac, LynxTrac Remote, Orviora AI, Orviora Community) handles operational data under its own product agreement. The full description is in the Privacy Policy and the Terms of Use.

Infrastructure controls

The website itself is hardened by default and audited every deploy.

TLS everywhere

pixbots.com is served over HTTPS only. HSTS is enabled with a two-year max-age and the includeSubDomains directive, so browsers refuse to downgrade to HTTP.

Content Security Policy

A strict CSP limits script, style, frame, and connect sources to known origins. Inline scripts are minimized and third-party loaders are explicit.

Cloudflare edge

The site runs on Cloudflare Pages with DDoS protection, automated TLS certificates, and global edge caching. Static HTML is the default; the attack surface is small.

Secrets management

Production secrets (Resend, Turnstile, KV bindings) are stored as Cloudflare Pages secrets. They are not committed to source, never appear in client bundles, and rotate via wrangler.

Application security

Engineering practices that gate every change before it reaches production.

Layered contact-form protection

The contact endpoint validates input with a strict zod schema, checks a hidden honeypot field, verifies a Cloudflare Turnstile token server-side, and applies a per-IP rate limit (five submissions per hour) backed by Cloudflare KV.

Code review and CI gates

Every change is reviewed via GitHub pull request. The CI pipeline runs Prettier, ESLint, Astro template type-check, full TypeScript type-check, and a prose linter before any deploy.

Dependency hygiene

Dependencies are pinned with a lockfile and checked into the repository. Updates land via reviewed pull requests, not unattended auto-merge.

Minimal third-party JavaScript

The marketing site loads no third-party analytics or tracking by default. The only external script is Cloudflare Turnstile, scoped to the contact page.

Compliance posture

Pixbots Private Limited is registered and operated in India. Our personal-data practices are aligned with applicable Indian law.

  • Digital Personal Data Protection Act, 2023 (DPDP Act)

    Personal-data handling is aligned with DPDP Act principles: lawful basis, purpose limitation, and the data-principal rights described in our Privacy Policy.

  • Data minimization

    We collect what we need to respond to inquiries and operate the products. We do not sell, rent, or trade personal information to third parties.

  • Industry certifications (PixelPACS deployments)

    For specific healthcare deployments, certification scope and audit posture are addressed in the institutional agreement covering that deployment. Contact us to request the current letter of attestation for your engagement.

Subprocessors

The third-party services we rely on to operate pixbots.com.

Service Role Region
Cloudflare Hosting (Pages), DNS, edge cache, DDoS protection, KV storage for rate limiting, and Turnstile bot detection. Global edge
Resend Outbound transactional email for the contact form (info@pixbots.com). United States
GitHub Source code hosting and continuous integration. United States

For product-specific subprocessors (PixelPACS, LynxTrac, Orviora), refer to the product agreement that covers your deployment.

Reporting a vulnerability

We are grateful for security researchers who disclose responsibly. There is no bug bounty in place today; we acknowledge in writing and will coordinate a fix and a public advisory where appropriate.

Email info@pixbots.com View security.txt

When you report, please include:

  • A clear description of the issue and the affected URL or product.
  • Steps to reproduce, including request payloads where relevant.
  • The impact you believe the issue has, and any suggested mitigation.
  • A way for us to credit you (or to keep the disclosure anonymous) in the resulting advisory.

Please do not run automated scanners against pixbots.com without contacting us first. We will coordinate scoped windows where useful.

Have a security question?

Compliance reviews, vendor questionnaires, and architecture diagrams are something we are happy to walk through directly.

Get in touch