Skip to main content
DRIFTSTACK

Frequently asked.

If your question isn't answered here, email support@driftstack.dev or sales@driftstack.dev — we answer everything in writing.

Pricing model

Why concurrent caps and not hours?

Most cloud-browser platforms bill by the hour, which quietly punishes you for leaving a session open. An account manager running 3 persistent profiles 8 hours a day generates ~720 browser-hours a month — and a surprise overage bill. Driftstack only counts how many sessions you run at the same time. Within that cap, use them as much as you want: a session that sits open all day costs nothing extra. You upgrade when your team genuinely needs more sessions running side by side — not because a meter ran out, and never with the "did I use too many minutes this month" anxiety.

What's the difference between Manual and API?

Manual means a person drives the session — you click around in our desktop app the way you would on a real phone. It's built for solo operators, account managers, and agencies juggling many profiles. API means your code drives the session — you get the SDK (our ready-made code library), your scripts start sessions themselves, and you can automate at scale. Underneath, both get the same engine, the same fingerprints, the same faithfulness to the real device; what differs is how you drive it and the concurrent caps. Each Driftstack account holds one subscription. If you need both — say your team works in the desktop app AND your engineering team runs automation — run two accounts. Most customers find one path is enough; if you outgrow it, the second account is straightforward to provision. See Manual pricing or API pricing.

How does this compare to Chromium-cloud stealth services?

Chromium-cloud services take Chrome and dress it up with 'stealth' plugins — a faked identity string plus patched-over JavaScript functions that intercept the checks websites run (on canvas, WebGL, and the navigator object — e.g. replacing built-ins like Object.getOwnPropertyDescriptor). The disguise holds if a website only checks the painted-over surfaces; it fails the moment a detector looks underneath — at timing, at how errors are worded, at the graphics chip's raw output. Driftstack runs Apple's actual WebKit browser code, so there is no underneath: the fingerprint your session shows is the one a real iPhone shows, produced by the same code all the way down.

How does concurrent metering work?

Concurrent means how many sessions you can run at the same time — think of it like the number of browser tabs you have open at once. That's the only thing we meter on paid tiers. Per-tier caps: Personal = 1 concurrent / Team = 3 / Agency = 8 / API Starter = 2 / API Builder = 8 / API Scale = 24 / Enterprise = custom. Within your cap, run as many session-hours as you want — a 5-minute session and a 6-hour session count exactly the same. The cap only limits how many run side by side; your monthly total is whatever your sessions produce running continuously. No monthly meter, no per-hour metering, no overage line items. The free tier has no metering at all — one concurrent session, no usage charges.

What happens when I hit my concurrent cap?

Starting one session too many simply fails with a clear error — nothing already running is touched. Existing in-flight sessions are not interrupted. The cap is only checked when a session starts, never mid-session. (For developers: the request fails with HTTP 429 + a structured RFC 9457 problem-detail naming the cap and, where applicable, the next tier up.) To raise the cap, upgrade to a higher tier or contact sales for Enterprise custom limits.

Are there setup fees on any tier?

No. No setup fees, no implementation fees, no minimum-monthly-volume commitments on any subscription tier. The free tier is $0 forever; subscriptions bill monthly or annually at the listed price + sales tax (VAT/BTW) where it applies.

How does annual billing work?

Annual contracts are billed up front for 12 months at 20% off the monthly equivalent. Switching from monthly to annual or vice versa is prorated automatically by Stripe at the changeover date. Annual contracts auto-renew unless cancelled at least 30 days before renewal.

Free tier

What do I get on the free tier?

One persistent profile, one concurrent session, and sessions up to 20 minutes each, driven from our desktop app — $0 forever, no card required. The free tier is manual-only (no API/SDK access from code); it exists so you can try the real thing before paying anything: open real iPhone Safari sessions on real WebKit and watch the fingerprint match in your own flows.

Does the free tier expire?

No. The free tier is perpetual — there is no time window, no credit that runs out, and no auto-charge. Stay on it as long as you like.

Can I use the API or SDK on the free tier?

No — the free tier is manual-only and runs through our desktop app. Every paid tier, including the Manual tiers, includes programmatic API/SDK access with live keys; paid tiers also drop the per-session time cap. The API ladder (API Starter from $149/mo) is the path built and sized for code-first workloads, with concurrent caps that scale further (up to 24 sessions side by side on API Scale). The free tier lets you evaluate the real iPhone Safari fingerprint hands-on before committing to automation.

Is there any usage metering on the free tier?

None. No per-hour metering, no credit decrement, no overage. One concurrent session is the only limit, and within it you can run as many manual session-hours as you want.

How do I move from the free tier to a paid tier?

Subscribe to any Manual or API tier through Stripe Checkout from your dashboard. Your existing profile and account carry over; the higher concurrent + profile limits and programmatic API access (included on every paid tier) apply immediately on activation.

Tiers + upgrades

Can I upgrade or downgrade mid-month?

Yes. Stripe prorates the price change automatically at the changeover date. New concurrent + profile limits apply immediately on the next session-creation request and the next profile-creation request. Anything already running or saved is untouched at the changeover; only new sessions and profiles are checked against the new limits.

What if I cancel?

Service continues through the end of your current billing period. After that your account moves to the free tier automatically — nothing is deleted, your profiles and account data stay, and you can resubscribe any time. Free-tier limits then apply (1 profile, 1 concurrent session, manual-only). Invoice history is retained for the legally-required period.

How does Enterprise pricing work?

Enterprise is custom — from $4,000/mo on annual contracts only. Actual pricing depends on how many sessions you run at once, how many profiles, custom device types (archetypes), how you want AI usage billed (your own Anthropic key, or through us), and any compliance paperwork (custom data-protection agreement terms and add-ons). Email sales@driftstack.dev with a description of your workload and team.

Billing + payments

Why Stripe?

Stripe is our payment processor. Card statements show "STRIPE *DRIFTSTACK". Receipts come from Stripe. Subscription management goes through the Stripe Customer Portal. Stripe handles PCI compliance (the card-security rules), fraud protection, payment disputes, and EU VAT/BTW reverse-charge (the EU tax rules for business buyers) — we rely on Stripe for all of that rather than rebuilding it ourselves.

Where do I update my payment method or download invoices?

Stripe Customer Portal. Linked from your Driftstack dashboard and from every Stripe receipt email. Payment-method updates, invoice downloads, subscription cancellations, and tax-ID configuration all live there.

Do you store my card details?

No. Card details are stored by Stripe, never by Driftstack. We hold a Stripe customer ID and subscription metadata; the card number itself never touches our servers.

Can I pay in crypto?

Yes — via NowPayments on tiers where crypto checkout is enabled. Open the crypto checkout from the billing dashboard, send the displayed amount in the displayed currency, and the order moves through pending → confirming → paid as on-chain confirmations land. (For developers: the webhook events — the automatic notifications our system sends yours as a payment progresses — are documented in the crypto webhook events docs.) Crypto payments are non-refundable — you can cancel anytime, which stops future billing, but the current period is not refunded (see refund policy). Most customers use Stripe; crypto is a fallback for jurisdictions where card payments are awkward.

How can I tell how much I've spent this month?

The desktop app shows a Cost panel with this month's spend broken down by component: compute, storage, network traffic out (egress), email, and AI usage — plus whether you're on track for your tier's cap, approaching it, or over it. Developers can fetch the same numbers from GET /v1/account/cost (totals in whole cents; the on-track state is reported as under-soft / between / over-hard). See the cost-monitoring docs.

What if I cross my tier's cap?

You get one email when your spending passes the early-warning level (the "soft cap") and another if it crosses the hard cap. Nothing is auto-blocked — running sessions stay running. The account team reaches out to discuss raising the cap or moving to a higher tier. We don't silently kill traffic to enforce a soft cap.

Are the spend numbers live or cached?

Live — recalculated every time you look. If traffic grows we may switch to nightly pre-computed snapshots, but the API response shape won't change, so anything you've built on it keeps working.

Bundled LLM + BYOK

What is the bundled LLM?

Driftstack's optional AI agent feature drives sessions with a large language model (LLM) — useful for describing tests in plain English, automatically spotting what changed between screenshots, or letting the AI explore a flow on its own. On Builder / Scale / Enterprise, you have two options: BYOK (bring your own API key — get one from your model provider, e.g. console.anthropic.com; the AI usage is then billed to you by your provider, not Driftstack), or use the bundled rate (Driftstack carries the AI calls for you and bills them on one invoice, at a markup over the provider's published price — AI usage is metered in "tokens", small chunks of text).

How do agent sessions work?

An agent session sits on top of a regular session and works like a chat: you type what you want (e.g. "open https://example.com and capture a screenshot"), the AI breaks it into concrete steps (navigate, interact, wait, capture), and the session carries them out. Three modes: AI (default — the AI plans every message), manual (your own app passes instructions straight through), and pair (the AI drives, but you can take over and hand back). You can watch a live transcript as it runs (streamed via Server-Sent Events, for developers). Full reference at docs.driftstack.dev/api/agent-sessions.

What's the BYOK markup?

Per-token pricing for the bundled rate is announced at launch. BYOK incurs no Driftstack markup — your Anthropic API key, your bill, your control. Set a stored BYOK key via the dashboard /settings page, PUT /v1/account/me/byok-anthropic-key, or per-request via the x-byok-anthropic-api-key header. Which tiers may use which billing: Team, Agency, and API Starter are BYOK-only; API Builder, API Scale, and Enterprise support bundled-LLM with consent — an explicit opt-in (for developers: PATCH /v1/account/me/bundled-llm-settings). The dashboard switch for that opt-in arrives at v1.1 (until then, use the PATCH endpoint directly); a read-only bundled-LLM status panel is in the desktop app.

Is BYOK secret-handling secure?

Yes. Your Anthropic API key is encrypted at rest with envelope encryption, decrypted in-memory only at session execution time, and never logged. In plain terms: the key is stored encrypted, the key that unlocks it is itself locked away separately, and it's only readable in memory for the moment a session runs. Our data-processing agreement (DPA) covers exactly how it's handled. Self-hosted customers can hold the outer (envelope) key in their own key-management system (KMS).

EU stack + compliance

Where is my data stored?

Customer data in our databases — your account, profiles, audit logs, session metadata — is hosted in the EU: compute and database are EU-resident. Uploaded files (your avatar, for example) use Cloudflare's R2 storage network, which can replicate outside the EU. Session execution may run in supported regions outside the EU under standard contractual clauses (SCCs) and the EU-US Data Privacy Framework — the legal mechanisms EU law provides for data that leaves the EU. Our complete sub-processor list, with locations and contractual basis, is published at /trust/sub-processors and in the Data Processing Agreement.

Can I pick which region my data is stored in?

You can state a region preference (US / EU / APAC) from /settings → Region; for v1 it's informational only. Every customer's account data sits on EU-jurisdiction infrastructure today regardless of preference selected. The preference exists so we can route you to the matching region automatically once the multi-region rollout lands; we'll give you 30 days' notice before any of your data is moved — following the DPA's Article 28 process for changing sub-processors (the outside vendors that handle your data) — with the right to keep your data in the EU or terminate the affected portion of the service. The trust page at /trust/sub-processors covers this in the same plain language as the dashboard.

What does my team see when I add them to my account?

Team members with the member role see read-only views of your sessions, profiles, API keys, webhooks, audit log, and usage. Members with the admin role can also create/update/delete those resources. They never see your billing, your password, or your MFA recovery codes. When a member acts on your account, the audit log records both the action AND which member did it — so you can see who on your team did what without cross-referencing anything. Sign-in and sign-out entries also record the IP address and browser used; that detail is visible to both you and any team member with read access on your account, so don't add team members you wouldn't share that level of detail with. Full reference: docs.driftstack.dev/api/team.

Are you GDPR-compliant?

Yes. Privacy Policy + DPA + Acceptable Use Policy are linked in the footer. Sub-processor list is documented in the DPA Annex 3. Requests to have your data deleted (GDPR's "right to erasure") are honoured within 30 days. The legal documents are baseline drafts under counsel review; first paying customer onboards only after counsel review completes.

Do you have a SOC 2 / ISO 27001 audit?

Not at v1. SOC 2 / ISO 27001 are roadmap items for after our first paying customer. For v1 the compliance basis is GDPR plus the EU's standard contractual clauses (SCCs) and the EU-US Data Privacy Framework (DPF) for any data leaving the EU. If you need the machines themselves certified beyond that, self-hosting on your own audited hardware is the immediate path.

Where do I read the Terms / Privacy / DPA / AUP?

Footer of every page links to the four documents at /legal/*. When you create an API key we record exactly which version of each document you accepted (identified by a fingerprint of its contents); when a document changes, you're asked to accept the new version, following the DPA's Article 28 amendment process.

Architecture + sessions

Are these real iPhones or emulated?

Neither — and that's the point. Driftstack runs the same browser code Apple ships on the iPhone: our own build of Apple's WebKit + Safari source code (the same C++ program code that runs on iOS), running on Apple's M-series Macs (macOS, Apple Silicon). Macs and iPhones share the same Apple chip family, so the engine is identical to a physical iPhone's — the same JavaScript engine (JavaScriptCore), the same page-rendering engine (WebCore), the same building blocks a fingerprint is made from, and, crucially, the same family of graphics chips. Everything a website can measure from inside a page — drawing output (canvas), 3D graphics (WebGL), audio, and the browser's own internals (navigator, prototype chain, error stacks) — matches a real iPhone bit for bit, because the same code produces it on the same chip family. The only differences sit so deep in the operating system that no website can read them from a page (kernel timings far below the web's reach), and detection that targets those is vanishingly rare in practice.

Does Driftstack work with Playwright / Selenium / Puppeteer?

Not by connecting them directly — those tools speak Chrome's remote-control protocol (CDP / WebDriver), and Driftstack deliberately offers no CDP passthrough: no Chrome DevTools Protocol WebSocket, no WebDriver endpoint. connectOverCDP(), puppeteer.connect(), and Selenium/WebDriver clients cannot attach to a session. Instead you drive sessions through the typed Driftstack SDK over structured REST actions — navigate, interact (tap / type / scroll / press), wait, capture, extract, state, search, and login. If you have an existing Playwright/Puppeteer script, you reshape it into those discrete actions rather than pointing the same client at a new endpoint. SDK quickstarts at /sdk/typescript-quickstart, /sdk/python-quickstart, /sdk/go-quickstart.

Where do my sessions actually run?

Sessions run in one EU region. Customer data in our databases — accounts, profiles, audit logs, session metadata — stays in the EU; uploaded files (avatars, for example) use Cloudflare's storage network, which can replicate outside the EU. The sub-processor list has the full breakdown with each provider's region. From EU locations, your commands typically reach our API in under 30 milliseconds, and a full round trip — your click going in, the live picture coming back — takes under 100. US and Asia-Pacific customers see proportionally longer round trips, since the sessions stay in the EU.

Migrating from another vendor

Migrating from Browserless / Bright Data / ScrapingBee / Browserbase?

It is not just changing one URL — scripts built for those platforms can't connect to Driftstack directly (there is no CDP passthrough, the socket Chrome-automation tools plug into). Migration means reshaping your script into Driftstack's discrete REST actions (navigate / interact / wait / capture / extract) driven through the typed SDK. The fingerprint your sessions present changes too (you go from Chromium to real WebKit), so any test or production flow that depended on Chrome-specific behaviours (a specific user-agent string, Chrome-only DevTools commands, CSS bugs specific to Blink — Chrome's rendering engine) needs adjustment too. The comparison page covers feature-by-feature differences; we publish step-by-step migration guides for the common Chromium vendors — migrating from Browserless and migrating from Puppeteer. Email support@driftstack.dev if you want a hand reshaping your test suite before you cut over.

Can I run a side-by-side comparison before committing?

Yes — that's exactly what the free tier is for. Run manual sessions through Driftstack in parallel with your current vendor and compare outputs at no cost. Many customers convert to a paid tier after seeing real fingerprint match rates in their actual flows; some discover their detection-evasion problem isn't worth solving and stay on a Chromium service. Either outcome is fine — we'd rather you make the right call than the upsell.

Acceptable use

Is X allowed? (sneaker bots / scraping / ad fraud / etc.)

The full Acceptable Use Policy is at /legal/aup — read it before signing up if you're unsure. Short version: Driftstack is built for legitimate automation — QA, accessibility testing, market research, regulated-industry compliance testing, agency multi-client management, AI-agent-driven flows. We don't allow attacks on third-party systems, fraud (ad fraud, fake-account creation, payment fraud), CSAM (child sexual abuse material) or other illegal content, large-scale scraping that breaks a site's terms of service (ToS) by getting around logins or past a site's reasonable rate limits, or operating sneaker bots / ticket bots against vendors who have publicly prohibited bot purchasing. Suspected abuse triggers an account review under the Acceptable Use Policy's escalation process; persistent violations terminate the account.

What happens if Driftstack as a business goes away?

Two protections. (1) Data portability: profiles + audit logs + session metadata can be exported as CSV/JSON from the dashboard or via the API at any time, so customers can take their data with them on any timeline. (2) Self-hosted option: Enterprise + Self-hosted licensees receive source escrow — an independent third party holds a copy of our source code. If the cloud service is ever wound down, the escrow agreement releases the browser engine (the WebKit fork) and the management software (the control-plane code) so customers can keep running everything on their own hardware indefinitely. We carry no investors and no debt, so the most likely "Driftstack goes away" scenario is a planned wind-down with months of notice, not a sudden shutoff. Self-hosted on day one is the answer for customers who can't accept any cloud-vendor risk.

Support + reliability

How do I contact support?

Email support@driftstack.dev. Reply target is 48h business-time across every tier — an operational target we hold ourselves to, not a contractual SLA. Replies are written, not template-blasted, so they take honest time. Slack Connect is available on request once a paid subscription is active. API Scale and Enterprise additionally carry a contractual first-response SLA on Severity-1 incidents (4 hours and 1 hour respectively) — see the SLA policy.

What if a session fails?

You can see everything a session did, start to finish, in the dashboard or from the SDK. A failed session returns a clear, machine-readable error (RFC 9457 problem-types, for developers), and any captures you took before the failure — screenshots, page snapshots, PDFs — are already in your hands, because capture results return to you the moment you take them. (Session video recording is on the roadmap, not live yet.) Sessions that fail on our side (a crash, no machine available) do not consume your concurrent slot — the slot frees immediately on failure detection.

What's the uptime target?

Two answers, per the Terms §9. On the Free, Manual (Personal / Team / Agency), API Starter, and API Builder tiers there is no contractually-binding SLA — we run best-effort (operationally we aim for 99.5%+) but do not commit to a specific uptime percentage, because a promise we could not stand behind would be theatre. API Scale and Enterprise carry a contractual SLA: 99.9% monthly availability with service credits, published in full at the SLA policy. Either way, the status page publishes incidents with timestamps + a written root-cause analysis (RCA) for each, and if an incident hurts your workload meaningfully on any tier, email support@driftstack.dev with concrete impact and we will work out a credit in good faith.