Skip to main content
Security & Privacy Architecture

We can't leak what we don't have.

Krosstabs processes your survey data entirely inside your browser using WebAssembly and Web Workers. No file is ever transmitted to our servers — not during upload, not during analysis, not during export.

This page documents the architecture for IT reviewers, information security teams, and compliance officers who need more than a marketing claim.

Network verification

Where your data goes — and where it stops

Open your browser's Developer Tools → Network tab before loading a file. You will see no outbound request carrying your CSV rows. The data flow is:

Your CSV / XLSX file
on your hard drive
FileReader API
browser API, no network
IndexedDB
local browser storage
Web Workers + WASM
analysis runs in-browser

The only outbound network requests Krosstabs makes are:

  • Authentication tokens — to *.supabase.co (Supabase auth). Contains your email and session token only. Never your survey data.
  • Project metadata — project names, file names, row counts. Zero respondent rows are included.
  • AI model download (AI Coder only) — a 22 MB ONNX model is downloaded from HuggingFace CDN once and cached locally. Respondent text is then coded in-browser. No text is sent to any AI API.
  • Billing events — to Paddle.com for subscription management. No survey data.
Architecture

Why this matters for compliance

🔐

No DPA required

Under GDPR Art. 28, a Data Processing Agreement is only required when a processor handles personal data on behalf of a controller. Because we never receive your respondent data, we are not a processor for that data. No DPA needed.

🛡️

Zero upload = zero breach surface

A server breach at Krosstabs exposes only authentication tokens and project metadata. Respondent demographics, verbatims, and survey responses are never in scope — they were never uploaded.

🏢

IT approval without network policy changes

Because Krosstabs is a browser-only tool, it requires no firewall rules, VPN exceptions, or data egress monitoring. The outbound domains are*.supabase.co (auth + metadata), *.paddle.com (billing),huggingface.co and its CDN hosts (AI Coder model download), and*.ingest.sentry.io (error monitoring).

📋

GDPR Art. 32 by architecture

Art. 32 requires "appropriate technical measures" to protect personal data. Not transmitting the data at all is a stronger control than encrypting it in transit. Zero-upload satisfies the spirit of the article by design.

Local storage behaviour

IndexedDB retention and clearing

Your data is stored in the browser's IndexedDB — a persistent local database. It is separate from cookies and localStorage. Below is how it behaves across different scenarios:

ScenarioData retained?Notes
Browser refresh (same tab)YesIndexedDB persists across refreshes.
Close and reopen browserYesData is persisted to disk.
Private / Incognito modeSession onlyIndexedDB is cleared when the private window closes.
Safari with ITP (cross-site context)PartitionedSafari's Intelligent Tracking Prevention partitions storage in cross-site contexts. Use krosstabs.com as the top-level origin to avoid this.
“Clear site data” in browser settingsNoAll local data is deleted. Same as using the Clear Local Data button.
Uninstalling the browserNoBrowser deletion removes all storage databases.

Storage quota. Browsers allocate IndexedDB space as a percentage of available disk (typically 60% of free disk space, subject to browser quotas). Krosstabs encrypts all stored data using AES-256-GCM via the Web Crypto API. Your encryption key is held server-side (itself envelope-encrypted) and restored when you log back in — but your data is not. The encrypted data lives only in this browser's IndexedDB and is never uploaded, so clearing site data deletes it permanently. Export any work you want to keep before clearing storage or switching devices.

IT reviewer checklist

Common procurement questions, answered

Print this page or share the URL with your information security team. The checklist below covers the questions most IT reviewers ask.

  • Where is respondent data stored?In the browser's IndexedDB on the analyst's local device. It is never uploaded to any server.
  • What data does Krosstabs store server-side?Authentication tokens, project names, file names, row counts, and subscription status. No survey data, no respondent rows, no verbatims.
  • Is a Data Processing Agreement required?No. Krosstabs does not process personal data on behalf of your organisation. No DPA is needed under GDPR Art. 28.
  • What are the outbound network domains?*.supabase.co (auth + project metadata), *.paddle.com (billing), huggingface.co / cdn-lfs.huggingface.co / cdn-lfs-us-1.huggingface.co (AI model download, AI Coder tool only), and *.ingest.sentry.io (error monitoring). These match the deployed connect-src Content-Security-Policy header exactly — verify it in your browser's response headers.
  • What encryption is used?All data in IndexedDB is encrypted with AES-256-GCM via the browser's Web Crypto API. Data in transit uses TLS 1.2+. Supabase (data storage) is hosted on AWS with encryption at rest.
  • How do we delete all data?The analyst can clear all local data via Settings → Clear Local Data. Server-side metadata can be deleted via Account → Delete Account, which triggers a GDPR-compliant data deletion request under /api/account/delete.
  • Is the tool compatible with our browser policy?See our Browser Compatibility page for supported browsers and minimum versions. Krosstabs requires WebAssembly, Web Workers, and IndexedDB — supported in all modern browsers since 2020.
  • What security headers does the site use?Content-Security-Policy (strict connect-src, no object-src, frame-ancestors none), X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Strict-Transport-Security with preload, Permissions-Policy (camera, microphone, geolocation disabled).
  • Is there a bug bounty or responsible disclosure contact?Email security@krosstabs.com for responsible disclosure. We commit to acknowledging reports within 5 business days.
Browser compatibility matrix →

Start analysing. Your data never moves.

Load a sample dataset and run a banner table with significance testing — no account required. Verify the zero-upload claim in your own Network tab.

Start free account