Privacy and Security
This page consolidates information about how MIDAS handles data processing, storage, external communication, encryption, and licensing.
Data Processing
All data processing — CSV import, statistics computation, graph rendering, regression modeling — runs entirely within your browser. MIDAS has no application server, so your data never leaves your device over the network.
SQL execution uses a WebAssembly build of DuckDB, which also runs in the browser and makes no external connections.
Data Storage
| Location | Purpose | Persistence |
|---|---|---|
| OPFS (Origin Private File System) | Project file storage | Cleared with browser site data |
| IndexedDB | Signing key storage | Cleared with browser site data |
| User's file system | Exported MDS files | Managed by the user |
OPFS and IndexedDB are browser storage APIs. Data is scoped to the app.midas-app.org origin and cannot be accessed by other sites or browser profiles. If multiple people share the same browser profile, they can all access the stored data. Use separate OS user accounts on shared workstations.
MIDAS does not encrypt stored data at rest. If disk-level data protection is required, use OS-level disk encryption such as BitLocker or FileVault.
External Communication
The app (app.midas-app.org) has no analytics or tracking scripts. CSP restricts script-src to 'self' only, preventing any third-party scripts from executing. Files and project data loaded by users are never sent externally.
CSP connect-src allows HTTPS connections for the Open from URL feature, which fetches files from user-specified URLs.
The documentation site (midas-app.org) uses Cloudflare Web Analytics for access analysis. It collects page views, referrer URLs, country/region, device type, browser type, and access timestamps. No cookies are used and no IP addresses are stored. No personally identifiable information is collected. See the Cloudflare Privacy Policy for details.
Digital Signatures
Exported MDS files are automatically signed with a digital signature.
- Algorithm: ECDSA P-256 + SHA-256
- Implementation: Browser's Web Crypto API
- Key storage: Signing key pairs are stored in IndexedDB. Keys are never transmitted outside the browser
Signatures detect tampering. Signer names are self-declared; verify a key's owner by comparing fingerprints out-of-band. There is no PKI or certificate authority integration; the trust model resembles PGP's Web of Trust.
Signing keys can be backed up and restored as password-protected files. See MDS Files and Managing Signing Keys for details.
Key design decisions
Signing key pairs are generated in the browser with the Web Crypto API extractable flag set to true. This setting is required for key export and backup. An alternative design — importing externally generated keys — would allow extractable: false, but would require users to manage key pairs with tools like OpenSSL, adding significant operational burden.
Because keys are extractable, any JavaScript executing on the same origin (e.g., via XSS) could read the private key. This risk is mitigated by CSP script-src restrictions that limit which scripts can execute.
If a private key is compromised, generate a new key pair and redistribute the new public key to your peers. There is currently no centralized key management or revocation mechanism.
Data Deletion
MIDAS data is stored as browser site data. To delete it, clear the site data for app.midas-app.org in your browser settings. This removes all saved projects, signing keys, and trusted public keys.
Exported MDS files reside on the user's file system and must be deleted separately.
Deployment Model
MIDAS is a static-file SPA served from app.midas-app.org.
- The Terms of Service prohibit copying and redistributing the software, so on-premises deployment is not available
- There is no user authentication or access control
- There are no organization management features
Install as a PWA to use MIDAS offline after the first visit.
License and Commercial Use
MIDAS is free to use, including for commercial purposes. It is currently in beta, so features may change without notice and there is no warranty on the accuracy or completeness of analysis results. See the Terms of Service and Privacy Policy for full details.
Browser Requirements
MIDAS depends on the following browser APIs:
- WebAssembly: SQL execution via DuckDB
- OPFS (Origin Private File System): Project data storage
- IndexedDB: Signing key storage
- Web Crypto API: Digital signature generation and verification
- Service Worker: Offline support (PWA)
The latest versions of Chrome, Edge, Firefox, and Safari are supported. Internet Explorer is not supported.
The developer tests daily on macOS / Firefox. CI end-to-end tests run on Chromium on both Linux and Windows. Testing on other browsers is limited.
See also
- MDS Files - Project file structure and digital signatures
- Managing Signing Keys - Key generation, export, and trusted key registration
- PWA and Offline Use - Install as an app and work offline