Privacy and Security
This page consolidates information about how MIDAS handles data processing, storage, external communication, encryption, and licensing.
Data Processing
All data processing — CSV import, statistics computation, graph rendering, regression modeling — runs entirely within your browser. MIDAS has no application server, so your data never leaves your device over the network.
SQL execution uses a WebAssembly build of DuckDB, which also runs in the browser. The DuckDB worker script is served with a Content-Security-Policy header that restricts connect-src to the CDN that hosts the WebAssembly bundle and the official extension repository; any other outbound connection from inside the worker is blocked by the browser. As a second layer, MIDAS disables DuckDB's automatic extension installation and loading at startup so that the httpfs extension is never loaded, which prevents read_csv('https://...') from resolving external URLs even if the CSP layer were bypassed.
Data Storage
| Location | Purpose | Persistence |
|---|---|---|
| OPFS (Origin Private File System) | Project file storage | Cleared with browser site data |
| IndexedDB | Signing key storage | Cleared with browser site data |
| localStorage | Application settings | Cleared with browser site data |
| User's file system | Exported MDS files | Managed by the user |
OPFS, IndexedDB, and localStorage are browser storage APIs. Data is scoped to the app.midas-app.org origin and cannot be accessed by other sites or browser profiles. If multiple people share the same browser profile, they can all access the stored data. Use separate OS user accounts on shared workstations.
MIDAS does not encrypt stored data at rest. If disk-level data protection is required, use OS-level disk encryption such as BitLocker or FileVault.
External Communication
The app (app.midas-app.org) has no analytics or tracking scripts. CSP restricts script-src to 'self' only, preventing any third-party scripts from executing. Files and project data loaded by users are never sent externally.
CSP connect-src allows HTTPS connections for the Open from URL feature, which fetches files from user-specified URLs. Enable "Block connections to untrusted domains" in Settings under Trusted URLs to dynamically restrict connect-src to only trusted URL domains. CSP policies can only be made stricter, never relaxed, so the restriction cannot be tampered with by JavaScript. The DuckDB worker has its own, stricter CSP served via response header: connect-src is limited to the DuckDB CDN and extension repository only, so code running inside the worker cannot reach any other host regardless of the main-thread settings.
The documentation site (midas-app.org) uses Cloudflare Web Analytics for access analysis. It collects page views, referrer URLs, country/region, device type, browser type, and access timestamps. No cookies are used and no IP addresses are stored. No personally identifiable information is collected. See the Cloudflare Privacy Policy for details.
Digital Signatures
Exported MDS files are automatically signed with a digital signature.
- Algorithm: ECDSA P-256 + SHA-256
- Implementation: Browser's Web Crypto API
- Key storage: Signing key pairs are stored in IndexedDB. Keys are never transmitted outside the browser
Signatures detect tampering. Signer names are self-declared; verify a key's owner by comparing fingerprints out-of-band. There is no PKI or certificate authority integration; the trust model resembles PGP's Web of Trust.
Signing keys can be backed up and restored as password-protected files. See MDS Files and Managing Signing Keys for details.
Signature badge and trust levels
When you open an MDS file, a badge in the top-right of the menu bar shows the signature status of the project:
- Official (green) - Signed with a key that ships with MIDAS. The label reads "Official".
- Trusted (blue) - Signed with a key you have registered in your trusted list. The label is the name you gave the key when you registered it.
- Unknown (yellow) - Signed with a key that is neither official nor in your trusted list. The label reads "Unknown"; the full fingerprint and self-reported signer name are available by clicking the badge.
Click the badge to see the full fingerprint, the self-reported signer name, and the time the file was signed. For unknown signatures you can register the key from the popover; the file is treated as trusted from then on.
Opening files with unknown signatures
By default MIDAS opens MDS files with unknown signatures without a confirmation dialog. The badge shows the unknown status, and you can verify the fingerprint before trusting the signer.
Opening without a dialog is safe because code paths that unknown-signed files could previously use to reach external servers (for example, DuckDB extension auto-load) are now blocked at load time regardless of trust level. Even a hostile MDS file cannot trigger outbound network requests through the normal analysis flow.
If you regularly open MDS files from untrusted sources and prefer an explicit confirmation for every unknown signature, enable Require confirmation for unknown signers under Settings > Security. With that setting on, MIDAS shows a confirmation dialog each time. The dialog offers Cancel, Trust this signer and open, and Open Anyway. Choosing Trust this signer and open prompts you for a name, registers the key as trusted, and opens the file in the same flow.
Key design decisions
Signing key pairs are generated in the browser with the Web Crypto API extractable flag set to true. This setting is required for key export and backup. An alternative design — importing externally generated keys — would allow extractable: false, but would require users to manage key pairs with tools like OpenSSL, adding significant operational burden.
Because keys are extractable, any JavaScript executing on the same origin (e.g., via XSS) could read the private key. This risk is mitigated by CSP script-src restrictions that limit which scripts can execute.
If a private key is compromised, generate a new key pair and redistribute the new public key to your peers. There is currently no centralized key management or revocation mechanism.
Data Deletion
MIDAS data is stored as browser site data. To delete it, clear the site data for app.midas-app.org in your browser settings. This removes all saved projects, signing keys, and trusted public keys.
To delete individual projects or check storage usage, use the Storage Management screen.
Exported MDS files reside on the user's file system and must be deleted separately.
Deployment Model
MIDAS is a static-file SPA served from app.midas-app.org.
- The Terms of Service prohibit copying and redistributing the software, so on-premises deployment is not available
- There is no user authentication or access control
- There are no organization management features
Install as a PWA to use MIDAS offline after the first visit.
License and Commercial Use
MIDAS is free to use, including for commercial purposes. It is currently in beta, so features may change without notice and there is no warranty on the accuracy or completeness of analysis results. For details on computational accuracy verification, see Numerical Accuracy. See the Terms of Service and Privacy Policy for full details.
Browser Requirements
MIDAS depends on the following browser APIs:
- WebAssembly: SQL execution via DuckDB
- OPFS (Origin Private File System): Project data storage
- IndexedDB: Signing key storage
- Web Crypto API: Digital signature generation and verification
- Service Worker: Offline support (PWA)
The latest versions of Chrome, Edge, Firefox, and Safari are supported. Internet Explorer is not supported.
The developer tests daily on macOS / Firefox. CI end-to-end tests run on Chromium on both Linux and Windows. Testing on other browsers is limited.
See also
- MDS Files - Project file structure and digital signatures
- Managing Signing Keys - Key generation, export, and trusted key registration
- Storage Management - Delete projects and check storage usage
- PWA and Offline Use - Install as an app and work offline