Information Security

Invantia Desktop is engineered from the ground up for maximum privacy and security.

Unlike cloud-based document analysis platforms, Invantia Desktop processes everything locally in your browser. Your documents never leave your device, are never uploaded to our servers, and are never accessible to third parties.

✓ Zero Server Upload
✓ No Cookies
✓ No Analytics
✓ 100% Client-Side
✓ Open Source

Third-party JavaScript libraries required by Invantia Desktop.

## Required Libraries
1. **pdf.js** (Mozilla PDF parsing)
- Download from: https://mozilla.github.io/pdf.js/getting_started/
- Files needed: pdf.js, pdf.worker.js
 
2. **mammoth.js** (DOCX parsing)
- Download from: https://www.npmjs.com/package/mammoth
- File needed: mammoth.browser.min.js
 
100% client-side processing. After the initial page load, your documents are processed entirely in your browser with zero server communication. No data leaves your device.

Client-Side Processing Architecture

Invantia Desktop operates entirely within your web browser using modern browser APIs. This architectural choice provides fundamental security guarantees:

• No document uploads: Files are processed locally using JavaScript - never transmitted to servers
• IndexedDB storage: Documents and metadata stored in browser's local database
• No external dependencies: After initial page load, operates completely offline
• Sandboxed execution: Browser security model isolates Invantia from other applications
• User-controlled deletion: Clear browser data to permanently remove all documents

Data Storage & Lifecycle

Step 1: Document Upload

User selects files via file picker or drag-and-drop

Files read directly into browser memory - never sent over network

Step 2: Processing

JavaScript libraries parse PDFs, DOCX, TXT in-browser

Text extraction, chunking, vectorization all happen client-side

Step 3: Storage

Processed data saved to browser IndexedDB

Stored only on user's device - inaccessible to servers or other sites

Step 4: Search & Analysis

Query processing and result generation in browser

No server-side search - all computation local

Step 5: LLM Integration

User manually copies generated chat packages

User pastes into their chosen LLM - Invantia has no LLM integration

What Data Never Leaves Your Device

• ✓ Document contents (text, metadata, structure)
• ✓ Document filenames and upload timestamps
• ✓ Search queries and query history
• ✓ Collections and organizational structure
• ✓ Generated chat packages
• ✓ Vector embeddings and search indices
• ✓ User preferences and settings

Everything stays local. Always.

No Analytics or Tracking

Many web applications include third-party analytics services (Google Analytics, Mixpanel, etc.) that track user behavior, even on "privacy-focused" platforms.

Invantia Desktop includes zero tracking mechanisms:

• No Google Analytics or similar analytics platforms
• No advertising networks (no Google Adsense, no ad pixels)
• No social media tracking pixels (no Facebook Pixel, Twitter tracking)
• No behavioral analytics or heatmapping tools
• No third-party JavaScript from CDNs that could track users
• No session recording or user replay services

Cookie Policy

Invantia Desktop does not use cookies for tracking or analytics.

We may use strictly necessary cookies for:

• Authentication (if you create an Enterprise account)
• Session management (Enterprise edition only)

Desktop edition can function entirely without cookies. Check your browser's developer tools - you'll see zero cookies set by invantia.com for Desktop usage.

Browser Security Features

• HTTPS Only: All pages served over encrypted HTTPS connections
• Content Security Policy (CSP): Restricts script execution to prevent XSS attacks
• Same-Origin Policy: Browser prevents cross-site data access
• Subresource Integrity (SRI): Libraries verified via cryptographic hashes
• No inline scripts: All JavaScript in external files for CSP compliance

Data Isolation

IndexedDB provides strong isolation guarantees:

• Data scoped to origin (invantia.com) - other sites cannot access
• Separate database per browser profile
• Cannot be accessed by browser extensions (unless user explicitly grants permission)
• Automatically cleared when user clears browser data

Source Code Transparency

Invantia's source code is publicly available on GitHub, allowing security researchers and users to:

• Audit code for security vulnerabilities
• Verify no hidden data exfiltration mechanisms
• Review cryptographic implementations
• Contribute security improvements

View Source Code on GitHub

User Control Over Data

You have complete control over your data in Invantia Desktop:

• Manual deletion: Delete individual documents or collections via UI
• Bulk deletion: Clear all data with one button (feature in development)
• Browser clearing: Standard browser "Clear browsing data" removes everything
• Export capability: Backup your data locally before deletion

How to Permanently Delete Your Data

Method 1: Clear via Browser Settings

1. Open browser settings
2. Navigate to "Privacy and Security" → "Clear browsing data"
3. Select "Cookies and other site data"
4. Ensure invantia.com is included in time range
5. Click "Clear data"

Method 2: Via Developer Tools (Advanced)

1. Press F12 to open Developer Tools
2. Go to "Application" tab
3. Expand "IndexedDB" in left sidebar
4. Right-click "InvantiaDB" and select "Delete database"

Once deleted from your browser, data is permanently unrecoverable (unless you created a backup).

Recommendations

• Use a dedicated browser profile: Isolate Invantia from other browsing activity
• Keep browser updated: Browser security patches protect IndexedDB
• Backup your data: Export backups before major browser updates
• Use strong device encryption: Encrypt your hard drive (FileVault, BitLocker, LUKS)
• Lock your device: Use screen lock when stepping away
• Review browser extensions: Minimize extensions with broad permissions
• Use private browsing carefully: IndexedDB cleared when closing private windows

Threat Model Considerations

What Invantia Desktop protects against:

• ✓ Third-party tracking and surveillance
• ✓ Data breaches at service provider (we never see your data)
• ✓ Government subpoenas for user data (we don't have it)
• ✓ Unauthorized access by Invantia staff (impossible - data is client-side)

What Invantia Desktop does NOT protect against:

• ✗ Malware on your device (antivirus recommended)
• ✗ Physical access to unlocked device
• ✗ Browser vulnerabilities (keep browser updated)
• ✗ Unencrypted device storage (use disk encryption)

Q: Can Invantia staff access my documents?

A: No. Desktop edition processes everything locally in your browser. Your documents are never transmitted to our servers, so it's technically impossible for us to access them.

Q: What if I use multiple devices?

A: IndexedDB is per-browser, per-device. Documents on one device aren't automatically synced to others. Use the backup/restore feature to transfer data between devices.

Q: Can my employer see my Invantia documents?

A: If using a work-managed device, your employer may have monitoring software that can access browser data. For sensitive personal documents, use a personal device.

Q: Is Invantia HIPAA/GDPR compliant?

A: Desktop edition stores data locally on your device, so traditional compliance frameworks don't directly apply. However, the privacy-first architecture aligns with GDPR principles. Enterprise edition will offer compliance features.

Q: What happens if Invantia shuts down?

A: Your data remains on your device. Being open source, the community can fork and maintain the codebase. Export your data as backup to ensure access.

For security-related inquiries, vulnerability reports, or compliance questions:

Contact Security Team