Sharedrop lets you share content, including HTML generated by AI agents, with the people you choose. A lot of that content isn't written by us, so we keep it isolated from your account and your private files.
Every page you open on Sharedrop runs inside a locked-down sandbox, sealed off from the rest of the site. Content in that sandbox can't read your login session, your cookies, or anything else tied to your account, and it can't reach your files. A page that tries to misbehave stays boxed in: it can't open pop-ups, redirect your browser, or submit forms as you.
We don't store passwords either. Sign-in goes through Google or GitHub, so your credentials never pass through us.
You decide who sees each page: keep it private, share it with specific people, or make it public. We check those permissions on every view, so there's no way around them, and private pages can't be found by guessing a link. The images and files inside a private page are protected the same way the page is.
Shared content is served from a separate address, view.sharedrop.cloud, kept apart from the app you log in to. We're going further and moving it to a dedicated, cookieless domain, so the content you view is fully separated from your Sharedrop session, with no shared cookies or storage between the two. It's isolated today, and the dedicated domain will make it more so.
We take the sandbox seriously. We threat-model it and test it against the attacks that matter most: credential theft, clickjacking, and hijacking the page you're viewing. Any change that touches it gets reviewed carefully.
If you find a security issue, email security@sharedrop.cloudand we'll reply within two business days.
Running Sharedrop across an organisation? Enterprise controls like configurable policies and audit logs are on the way. Email support@sharedrop.cloudand we'll walk you through your options.