Trust Center

Your data never leaves the browser. Here is the proof.

No backend, no accounts, no sync service. Every claim on this page is checkable against the running application — most of them in under two minutes.

Zero egress
Verify it yourself
The two-minute DevTools proof

Do not take our word for it — your browser ships the audit tool. Static application assets load once; after that, your workspace generates no outbound traffic you did not explicitly trigger.

  1. 01Open DevTools → Network. Tick “Preserve log”.F12 / Cmd-Opt-I
  2. 02Import a spec, forge a mock, edit a mapping, run a scenario.normal work
  3. 03Filter by Fetch/XHR. Count requests carrying workspace data.result: zero
  4. 04Switch the Network condition to “Offline”. Keep working.still works
Complete list
Exactly three flows ever leave this browser
1Live API calls from the Explorer
Trigger: You press Send on a request you composedDestination: The environment base URL you configured
src/routes/api-explorer.tsx → fetch(request)
2Specification loads at import
Trigger: You paste a spec URL in the import wizardDestination: The URL you provided
src/lib/spec-loader.ts → fetch(url)
3Webhook notifications on scheduled runs
Trigger: You configure a webhook URL on a scheduleDestination: Your webhook endpoint
src/domain/store.ts → fetch(notify.webhookUrl)
There is no fourth flow: no telemetry on API data, no analytics pipeline for workspace content, no background sync.
Live — this browser, right now
Local data inventory
localStorage keyPurposeSize
Scanning local storage…
For your DPO
GDPR mapping — architectural answers
ArticlePrincipleArchitectural answer
Art. 5(1)(c)Data minimisationThe vendor processes zero customer workspace data. Minimisation is absolute — there is nothing on our side to minimise.
Art. 25Protection by design and by defaultZero egress is the design. There is no backend to misconfigure and no default sharing to switch off.
Art. 32Security of processingThe security boundary is your browser profile and device controls. Exported bundles support AES-256-GCM encryption; exports happen only on explicit user action.
Art. 17Right to erasureSettings → Privacy & data erases every application key and downloads a deletion receipt (key list + SHA-256 of the removed payload). There is no server-side copy to chase.

Compliance is a property of your process, not of any tool. This table documents the architectural facts the workbench contributes to that process.

No theatre
Security posture — including the honest parts
What the architecture gives you
No transmission of workspace data — verifiable in DevTools in two minutes
Optional AES-256-GCM encrypted workspace bundles (PBKDF2-SHA-256, 150 000 iterations)
Deletion receipts with a SHA-256 hash of the erased payload
Append-only audit log, production locks and role-gated actions in the workbench
What it does not do — read this part too
localStorage is not encrypted at rest — anyone with access to your browser profile can read it. Use OS user separation and disk encryption.
Browsers can evict or clear storage — export workspace bundles as backups; Settings shows a backup-staleness reminder.
Live calls you trigger leave your machine by definition, carrying the auth headers you configured. That traffic is yours, not ours.
There is no team sync or SSO today — see the roadmap box below; we do not present futures as features.
Evidence file
Data Protection Annex (PDF)

A one-page architecture statement for vendor-risk reviews: processing summary, data location, the complete outbound-flow list and the GDPR mapping above — stamped with this browser's live storage figures. Generated locally, like everything else.

Your controls
Erasure & portability
Roadmap — future tense, on purpose
What is not built yet
Roadmap

Encrypted workspace sync — end-to-end encrypted, so we still cannot read your data. It will ship when it meets that bar, not before.

Roadmap

SSO (OIDC) and self-hosted distribution — planned for the Enterprise tier; priced when they exist.

Until then, collaboration is snapshot export/import — deliberately boring, deliberately verifiable.