Security & Privacy
Applies to: All users
Last updated: 17-Jul-2025
Overview
Kazinex processes your schedule files entirely in the browser. No XER, MPP, MSPDI, or XML file is ever uploaded to a server. This isn't just a policy — it's the architecture. There are no upload endpoints, no server-side parsing, and no cloud storage for your schedule data.
How Client-Side Processing Works
Here's what happens when you open a schedule file in Kazinex:
- You select a file using the browser's file picker (or drag and drop).
- The browser's File API reads the file from your local disk into RAM.
- Kazinex's JavaScript parser processes the file data entirely in your browser's memory.
- Results display instantly in the Activities grid, Gantt chart, and Quality tab.
- When you close the tab, all data is cleared from memory.
At no point does the file leave your computer. The parsing engine runs locally — no network request is made to any Kazinex server during file analysis.
Comparison: Traditional vs Kazinex
| Step | Traditional Tools | Kazinex |
|---|---|---|
| 1 | Upload file to their server | Select file locally |
| 2 | Wait for server-side processing | Browser parses in RAM instantly |
| 3 | Hope they delete your data | No data to delete — it never left your computer |
| 4 | Trust their security practices | No trust needed — your data stays local |
| 5 | Risk of data breach | Zero breach surface for schedule data |
What Data Is Stored
In Your Browser (localStorage)
- Application preferences — column layouts, filter presets, theme settings
- AI Copilot conversations — your chat history with the AI (capped at 50 conversations)
- Token usage counters — AI usage metrics (no schedule content)
- Session tokens — authentication tokens for your Kazinex account
On Kazinex Servers
- Account information — email, name, subscription tier (via Supabase Auth and Stripe)
- Subscription data — Stripe customer ID, plan, billing dates
- AI usage logs — token counts and request metrics (no schedule content)
- Contact form submissions — if you submit a support request
Never Stored Anywhere
- Schedule files (XER, MPP, MSPDI, XML)
- Activity data (names, dates, durations, costs)
- Resource information
- WBS structures
- Quality check results (computed in-browser each time)
Authentication
Kazinex uses Supabase Auth for authentication — a modern, open-source identity platform with built-in support for email/password, social logins, and multi-factor authentication.
How It Works
| Property | Detail |
|---|---|
| Provider | Supabase Auth |
| Protocol | OpenID Connect (OIDC) |
| Token storage | Browser localStorage with refresh tokens |
| Session duration | Managed by Supabase Auth with automatic refresh |
| JWT verification | Server-side verification using Supabase JWT secret |
What Supabase Auth Handles
- Login / Sign-up — with email/password or social providers
- Multi-factor authentication (MFA) — available for added security
- Session management — automatic session refresh, stale session detection
- Password reset — self-service via email
- Account security — rate limiting, brute-force protection
Payment Security
All payment processing is handled by Stripe:
- Kazinex never sees your credit card number — it's entered directly on Stripe's hosted checkout page.
- Stripe is PCI DSS Level 1 certified — the highest level of payment security.
- Your payment method details are stored by Stripe, not by Kazinex.
Data Deletion
Clearing Your Data
To remove all Kazinex data from your browser:
- Open your browser settings.
- Navigate to Site Data or Cookies and Site Data.
- Find
app.kazinex.comand delete its data. - This removes all preferences, AI conversations, and cached tokens.
Account Deletion
Contact the Kazinex team to request full account deletion. This removes:
- Your Supabase Auth account
- User profile and settings
- Subscription records
- AI usage logs
- All server-side data associated with your email
GDPR Compliance
Kazinex's architecture provides GDPR compliance by design:
| GDPR Principle | How Kazinex Complies |
|---|---|
| Data minimisation | Schedule data is never collected — only account metadata is stored |
| Purpose limitation | Server-side data is limited to account management and billing |
| Right to erasure | Account deletion removes all server-side data |
| Data portability | Your schedule files are always on your local machine |
| Security | Client-side processing eliminates the primary breach vector |
No data processing agreement (DPA) is needed for schedule data because Kazinex never processes it on a server.
Offline Capability
Once Kazinex loads in your browser, core analysis features work offline:
- Schedule parsing
- Quality checks
- Activities grid and Gantt chart
- Export to XER, MSPDI, XML
Features that require a network connection:
- Authentication (initial login)
- AI Copilot (requires API access)
- Collaboration (requires WebSocket connection)
- Billing management (Stripe redirect)
Trust Badge
Throughout the application, you'll see trust badges confirming:
- "100% Client-Side Processing" — your files are parsed in the browser
- "Your files never leave this browser" — zero server uploads
- "GDPR & compliance ready" — privacy by design
These badges appear on the Dashboard, during file upload, and in the application header.