Security
Last updated: March 2026
Recense is built around a local-first principle: survey import, tabulation, and analysis run on your machine, while optional cloud features store only encrypted project or dataset bytes plus the minimum metadata needed to operate them. Enterprise hosted compute is a separate mode for datasets your organisation explicitly publishes to the direct hosted endpoint.
Client-side architecture
All survey data processing happens in your browser using a compiled WebAssembly engine. When you import an SPSS file, the bytes are read by your browser, parsed by our Rust engine (compiled to WASM), and stored in your browser's IndexedDB.
This means:
- Normal import, review, tabulation, and analysis happen locally
- Remote raw-data access is not available in the hosted product
- Cloud projects and cloud datasets are encrypted on your machine before upload
- Server-visible cloud dataset metadata is limited to catalogue fields needed for organisation browsing
- Enterprise hosted compute only serves datasets an organisation has explicitly published
AI agent data handling
When the AI agent needs to answer a question about your data it may call tools that return
respondent-level values (for example, read_raw_data). Those tool results become
part of the conversation and are sent to the model provider on the next turn. The provider
does not retain your dataset between requests, and Recense does not store the text of your
conversations.
Built-in agent
Conversation messages and tool results are proxied through our server to the selected model provider (Anthropic, OpenAI, Google, or Fireworks AI). We do not store the text of these messages. We retain per-request metadata (user ID, timestamp, model, input/output token counts) for billing and abuse detection. Under each provider's default API terms, inputs are not used to train models; we do not direct providers to train on your data.
Bring Your Own Key (BYOK)
If you use your own API key, conversations go directly from your browser to your chosen provider. We never see them. Your API keys are stored locally in your browser and are never transmitted to our servers.
Encryption
| Layer | Method |
|---|---|
| In transit | TLS 1.2+ on all connections. HTTPS enforced site-wide via Cloudflare. |
| At rest (cloud save) | Client-side AES-256-GCM encryption before upload. We hold no decryption keys. |
| At rest (cloud datasets) | Client-side encryption before upload. The server stores ciphertext plus catalog metadata and per-user wrapped access grants. |
| At rest (enterprise hosted compute) | Server-side Parquet + sidecar artifacts for explicitly published datasets, stored separately from the client-encrypted cloud dataset library. |
| At rest (local) | Browser IndexedDB, governed by your device's own disk encryption. |
| Account data | Stored in Supabase (EU-hosted) with encryption at rest enabled. |
Authentication
- Email magic links (passwordless) or email/password with bcrypt hashing
- Session management via Supabase with short-lived JWTs
- No third-party social logins that share data with advertising networks
Infrastructure
| Provider | Role | Compliance |
|---|---|---|
| Cloudflare | Hosting, CDN, DDoS protection, WAF | SOC 2 Type II, ISO 27001 |
| Supabase | Authentication, database (EU region) | SOC 2 Type II |
| Stripe | Payment processing | PCI DSS Level 1 |
| Anthropic | AI provider (built-in agent) | SOC 2 Type II |
| OpenAI | AI provider (built-in agent, hosted semantic search) | SOC 2 Type II |
| Google AI | AI provider (built-in agent) | SOC 2 Type II, ISO 27001 |
| Sentry | Error monitoring | SOC 2 Type II |
All infrastructure providers maintain their own independent security certifications. We select providers that meet or exceed the security requirements of enterprise customers.
Error tracking
We use Sentry for error monitoring with aggressive data scrubbing. Before any error is reported, we strip:
- Survey data, variable names, and dataset metadata
- Email addresses and user names
- IP addresses
- Cookies and request bodies
We do attach your Recense user ID (a UUID) so we can reproduce issues and respond to support tickets. You can disable error reporting entirely by enabling "Work Local" mode.
Hosted metadata features
Hosted semantic variable search is disabled by default. If an organisation admin enables it, Recense sends variable names, variable labels, and selected value labels to OpenAI to build search embeddings. This improves semantic search but is an explicit opt-in path.
The browser relay remains the live-session MCP path. Enterprise hosted compute is the direct always-on path for explicitly published datasets. It does not expose remote raw-data access and does not include unpublished cloud datasets.
What we do not do
- We do not use third-party analytics or tracking pixels
- We do not sell, rent, or share customer data with third parties
- We do not use your data or conversations to train AI models
- We do not expose remote raw-data access
- We do not retain AI agent conversations after the request completes
GDPR
Recense Ltd is registered in England and Wales. For the limited personal data we process (account and billing information), we act as the data controller. Our processing is minimal by design. For cloud features, we also process encrypted blobs, cloud dataset catalog metadata, and other service metadata needed to operate the product.
See our Privacy Policy for full details on data collection, your rights, and our data processors.
Responsible disclosure
If you discover a security vulnerability, please email security@recense.ai. We will acknowledge receipt within 48 hours and aim to resolve confirmed vulnerabilities promptly.
Questions
For security questions or to request information for a vendor security assessment, contact security@recense.ai.