Security

• Files are parsed client-side before entering the workspace.
• Exports sanitize CSV text cells that could otherwise be interpreted as spreadsheet formulas.
• Dependency audit is part of the verification gate and currently reports zero moderate-or-higher vulnerabilities.
• The API surface is limited to /api/chat for opt-in AI summaries.
• Robots configuration disallows crawling /api/ routes.

• Crosstabs is not claiming SOC 2, HIPAA, GDPR certification, or enterprise data-processing terms.
• Saved projects use browser localStorage; they are convenient, not encrypted vault storage.
• The server AI path depends on the configured AI provider and should be disabled or replaced for regulated data.
• Large or sensitive datasets should be handled according to the user's organization policy.

Before production deployment, run lint, unit tests, production build, browser E2E tests, and npm audit. Keep the dependency lockfile pinned and review any AI-provider configuration before enabling server AI.