We can't leak what we don't have.
Krosstabs processes your survey data entirely inside your browser using WebAssembly and Web Workers. No file is ever transmitted to our servers — not during upload, not during analysis, not during export.
This page documents the architecture for IT reviewers, information security teams, and compliance officers who need more than a marketing claim.
Where your data goes — and where it stops
Open your browser's Developer Tools → Network tab before loading a file. You will see no outbound request carrying your CSV rows. The data flow is:
The only outbound network requests Krosstabs makes are:
- ✓Authentication tokens — to
*.supabase.co(Supabase auth). Contains your email and session token only. Never your survey data. - ✓Project metadata — project names, file names, row counts. Zero respondent rows are included.
- ✓AI model download (AI Coder only) — a 22 MB ONNX model is downloaded from HuggingFace CDN once and cached locally. Respondent text is then coded in-browser. No text is sent to any AI API.
- ✓Billing events — to Paddle.com for subscription management. No survey data.
Why this matters for compliance
No DPA required
Under GDPR Art. 28, a Data Processing Agreement is only required when a processor handles personal data on behalf of a controller. Because we never receive your respondent data, we are not a processor for that data. No DPA needed.
Zero upload = zero breach surface
A server breach at Krosstabs exposes only authentication tokens and project metadata. Respondent demographics, verbatims, and survey responses are never in scope — they were never uploaded.
IT approval without network policy changes
Because Krosstabs is a browser-only tool, it requires no firewall rules, VPN exceptions, or data egress monitoring. The outbound domains are*.supabase.co (auth + metadata), *.paddle.com (billing),huggingface.co and its CDN hosts (AI Coder model download), and*.ingest.sentry.io (error monitoring).
GDPR Art. 32 by architecture
Art. 32 requires "appropriate technical measures" to protect personal data. Not transmitting the data at all is a stronger control than encrypting it in transit. Zero-upload satisfies the spirit of the article by design.
IndexedDB retention and clearing
Your data is stored in the browser's IndexedDB — a persistent local database. It is separate from cookies and localStorage. Below is how it behaves across different scenarios:
| Scenario | Data retained? | Notes |
|---|---|---|
| Browser refresh (same tab) | Yes | IndexedDB persists across refreshes. |
| Close and reopen browser | Yes | Data is persisted to disk. |
| Private / Incognito mode | Session only | IndexedDB is cleared when the private window closes. |
| Safari with ITP (cross-site context) | Partitioned | Safari's Intelligent Tracking Prevention partitions storage in cross-site contexts. Use krosstabs.com as the top-level origin to avoid this. |
| “Clear site data” in browser settings | No | All local data is deleted. Same as using the Clear Local Data button. |
| Uninstalling the browser | No | Browser deletion removes all storage databases. |
Storage quota. Browsers allocate IndexedDB space as a percentage of available disk (typically 60% of free disk space, subject to browser quotas). Krosstabs encrypts all stored data using AES-256-GCM via the Web Crypto API. Your encryption key is held server-side (itself envelope-encrypted) and restored when you log back in — but your data is not. The encrypted data lives only in this browser's IndexedDB and is never uploaded, so clearing site data deletes it permanently. Export any work you want to keep before clearing storage or switching devices.
Common procurement questions, answered
Print this page or share the URL with your information security team. The checklist below covers the questions most IT reviewers ask.
- ✓Where is respondent data stored?In the browser's IndexedDB on the analyst's local device. It is never uploaded to any server.
- ✓What data does Krosstabs store server-side?Authentication tokens, project names, file names, row counts, and subscription status. No survey data, no respondent rows, no verbatims.
- ✓Is a Data Processing Agreement required?No. Krosstabs does not process personal data on behalf of your organisation. No DPA is needed under GDPR Art. 28.
- ✓What are the outbound network domains?
*.supabase.co(auth + project metadata),*.paddle.com(billing),huggingface.co/cdn-lfs.huggingface.co/cdn-lfs-us-1.huggingface.co(AI model download, AI Coder tool only), and*.ingest.sentry.io(error monitoring). These match the deployedconnect-srcContent-Security-Policy header exactly — verify it in your browser's response headers. - ✓What encryption is used?All data in IndexedDB is encrypted with AES-256-GCM via the browser's Web Crypto API. Data in transit uses TLS 1.2+. Supabase (data storage) is hosted on AWS with encryption at rest.
- ✓How do we delete all data?The analyst can clear all local data via Settings → Clear Local Data. Server-side metadata can be deleted via Account → Delete Account, which triggers a GDPR-compliant data deletion request under
/api/account/delete. - ✓Is the tool compatible with our browser policy?See our Browser Compatibility page for supported browsers and minimum versions. Krosstabs requires WebAssembly, Web Workers, and IndexedDB — supported in all modern browsers since 2020.
- ✓What security headers does the site use?Content-Security-Policy (strict connect-src, no object-src, frame-ancestors none), X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Strict-Transport-Security with preload, Permissions-Policy (camera, microphone, geolocation disabled).
- ✓Is there a bug bounty or responsible disclosure contact?Email security@krosstabs.com for responsible disclosure. We commit to acknowledging reports within 5 business days.
Start analysing. Your data never moves.
Load a sample dataset and run a banner table with significance testing — no account required. Verify the zero-upload claim in your own Network tab.
Start free account