Invantia Desktop

InfoSec Approval Guide

?? Getting InfoSec Approval

For Employees: How to Get Permission

Need to use Invantia Desktop for work but require InfoSec approval? Here's what to tell your security team to make the conversation easy.

Executive Summary for Security Teams

Invantia Desktop is a zero-trust, client-side document analysis tool that operates entirely within the user's browser. No documents, queries, or results ever leave the user's device. There are no servers to compromise, no APIs to breach, and no data transmissions to intercept.

Key Security Properties:

  • Zero Data Exfiltration: Documents processed entirely in-browser using IndexedDB. No network requests after initial page load.
  • No Cloud Dependencies: No external AI APIs (OpenAI, Anthropic, Google) or embedding services required.
  • Verifiable Privacy: Open browser DevTools ? Network tab ? Upload document ? Zero POST/PUT requests.
  • No Authentication Backend: User accounts managed via existing enterprise SSO (optional). No credential storage.
  • Audit Trail: All processing happens client-side with deterministic, inspectable algorithms.

Technical Security Assessment

Architecture:

  • Client-Side Only: JavaScript application running in user's browser (Chrome, Firefox, Safari, Edge)
  • Local Storage: IndexedDB API (W3C standard, sandboxed per-origin)
  • No Backend Processing: Static file server only (HTML, CSS, JS). No server-side code execution.
  • No External APIs: Zero runtime dependencies on third-party services

Data Flow:

  1. User navigates to invantia.com (one-time page load)
  2. Browser downloads static assets (HTML, CSS, JS libraries)
  3. User uploads document ? Parsed in browser using PDF.js/Mammoth.js
  4. Text extracted and chunked ? Stored in IndexedDB (local browser database)
  5. User searches ? JavaScript executes locally ? Results displayed
  6. Zero network requests during steps 3-5

Third-Party Code Audit:

  • PDF.js: Mozilla Foundation (same engine in Firefox). MIT License. No telemetry.
  • Mammoth.js: Open-source DOCX parser. BSD License. No external calls.
  • Verification: All libraries served from invantia.com (no CDN dependencies). Source code auditable.

Common InfoSec Questions & Answers

Q: Where are documents stored?

A: Exclusively in the user's browser using IndexedDB, a W3C standard local storage API. Data is sandboxed per-origin and never transmitted. Documents persist locally until user explicitly deletes them or clears browser data.

Q: Can documents leak to invantia.com servers?

A: No. The server is a static file host only (nginx serving HTML/CSS/JS). There is no server-side code capable of receiving or processing documents. Verify by monitoring network traffic during document upload�zero POST/PUT requests to any server.

Q: What about AI/LLM integration?

A: Invantia Desktop does NOT send documents to AI services. Instead, it generates formatted "chat packages" that users manually copy-paste into their own AI accounts (ChatGPT, Claude, Gemini). The user controls what gets shared and when.

Q: Does it use external embedding APIs (OpenAI, Cohere, etc.)?

A: No. Invantia uses classical co-occurrence-based vectorization implemented in pure JavaScript. No neural networks, no API calls, no model downloads. All semantic expansion happens locally using statistics computed from the user's own documents.

Q: What data leaves the browser?

A: Only what the user explicitly copy-pastes. Invantia Desktop generates text outputs (super chunks) that users can review before manually pasting into external AI tools. The application itself transmits nothing.

Q: How do we verify this claim?

A:

  1. Open Chrome DevTools ? Network tab
  2. Load invantia.com (observe initial page load)
  3. Upload a test document
  4. Create a search query
  5. Generate results
  6. Result: Zero network requests during steps 3-5

Q: What about browser extensions or malware?

A: Invantia Desktop operates within standard browser security sandboxes. Malicious extensions could theoretically access any web app's data, but this is a browser-level concern, not specific to Invantia. Use corporate-managed browsers with vetted extensions.

Q: Can we run this on-premises?

A: Yes. Invantia Desktop is a static web application that can be served from internal corporate web servers. No backend infrastructure required�just host the HTML/CSS/JS files on any web server (nginx, Apache, IIS).

Q: What's the vendor's data retention policy?

A: Not applicable. Invantia (the vendor) never receives user documents, queries, or results. There is no vendor data retention because there is no vendor data collection.

Q: How do we handle data classification (Confidential, Secret, etc.)?

A: Since data never leaves the user's device, Invantia Desktop can process documents of any classification level, subject to your organization's policies on browser-based tools. Treat it like viewing a PDF in the browser�same risk profile.

Q: What about compliance (GDPR, HIPAA, SOC 2)?

A: Client-side processing means no data crosses compliance boundaries. The vendor (Invantia) is not a data processor under GDPR/HIPAA because they never access customer data. For SOC 2, there are no systems to audit�processing is local.

Security Testing Recommendations

For security teams performing due diligence, we recommend:

  1. Network Traffic Analysis:
    • Use Wireshark or browser DevTools to monitor all network requests
    • Upload sample documents and verify zero POST/PUT/PATCH requests
    • Confirm no DNS queries to third-party AI services (openai.com, anthropic.com, etc.)
  2. IndexedDB Inspection:
    • Chrome DevTools ? Application ? Storage ? IndexedDB ? InvantiaDB
    • Verify documents are stored locally in "documents" object store
    • Confirm vectors are computed locally in "vectors" object store
  3. Source Code Review:
    • All JavaScript is unminified and readable in browser DevTools
    • Search codebase for "fetch(", "XMLHttpRequest", "axios", "$.ajax" ? should only find static asset loading
    • Verify no WebSocket connections or Server-Sent Events
  4. Offline Testing:
    • Load invantia.com with network enabled
    • Disconnect from network (airplane mode)
    • Upload document, create search, generate results
    • Expected result: Full functionality with no network

Risk Assessment Summary

Risk Category Traditional SaaS Invantia Desktop
Data Exfiltration High - Documents sent to vendor servers None - No transmission occurs
Third-Party Breach High - Vendor database compromise None - No vendor storage
Man-in-the-Middle Medium - Sensitive data in transit Low - Only initial page load (HTTPS)
API Key Leakage High - AI service credentials None - No APIs used
Vendor Lock-In High - Proprietary data formats None - Standard browser storage
Compliance Violations Medium - Shared responsibility model None - Data stays local

Recommended Approval Language

For security teams comfortable with the assessment, here's suggested approval language:

"Invantia Desktop is approved for use with [classification level] documents. The application operates entirely client-side with no data transmission to vendor servers or third-party services. Users must manually control any data shared with external AI services by copy-pasting generated outputs. Standard browser security policies apply."

Alternative: Self-Hosted Deployment

For organizations requiring maximum control:

Option: Host Internally

  • Download Invantia Desktop static files
  • Deploy to internal web server (e.g., https://invantia.internal.corp.com)
  • Configure enterprise SSO/SAML for access control
  • Air-gapped deployment possible (no internet required after initial setup)

Contact: enterprise@invantia.com for self-hosted deployment packages.

Still Have Questions?

Security teams can contact us directly:

  • Email: security@invantia.com
  • Response Time: 24 hours for security inquiries
  • Video Demo: Available upon request to walk through architecture
  • Pen Test Coordination: We welcome third-party security assessments

Invantia Desktop

� 2025 TrxSys LLC. All rights reserved.

invantia.com | security@invantia.com | GitHub

Invantia Desktop is a privacy-first document intelligence platform.
Your documents never leave your device.

?? Getting InfoSec Approval

For Employees: How to Get Permission

Need to use Invantia Desktop for work but require InfoSec approval? Here's what to tell your security team to make the conversation easy.

Executive Summary for Security Teams

Invantia Desktop is a zero-trust, client-side document analysis tool that operates entirely within the user's browser. No documents, queries, or results ever leave the user's device. There are no servers to compromise, no APIs to breach, and no data transmissions to intercept.

Key Security Properties:

Technical Security Assessment

Architecture:

Data Flow:

  1. User navigates to invantia.com (one-time page load)
  2. Browser downloads static assets (HTML, CSS, JS libraries)
  3. User uploads document ? Parsed in browser using PDF.js/Mammoth.js
  4. Text extracted and chunked ? Stored in IndexedDB (local browser database)
  5. User searches ? JavaScript executes locally ? Results displayed
  6. Zero network requests during steps 3-5

Third-Party Code Audit:

Common InfoSec Questions & Answers

Q: Where are documents stored?

A: Exclusively in the user's browser using IndexedDB, a W3C standard local storage API. Data is sandboxed per-origin and never transmitted. Documents persist locally until user explicitly deletes them or clears browser data.

Q: Can documents leak to invantia.com servers?

A: No. The server is a static file host only (nginx serving HTML/CSS/JS). There is no server-side code capable of receiving or processing documents. Verify by monitoring network traffic during document upload�zero POST/PUT requests to any server.

Q: What about AI/LLM integration?

A: Invantia Desktop does NOT send documents to AI services. Instead, it generates formatted "chat packages" that users manually copy-paste into their own AI accounts (ChatGPT, Claude, Gemini). The user controls what gets shared and when.

Q: Does it use external embedding APIs (OpenAI, Cohere, etc.)?

A: No. Invantia uses classical co-occurrence-based vectorization implemented in pure JavaScript. No neural networks, no API calls, no model downloads. All semantic expansion happens locally using statistics computed from the user's own documents.

Q: What data leaves the browser?

A: Only what the user explicitly copy-pastes. Invantia Desktop generates text outputs (super chunks) that users can review before manually pasting into external AI tools. The application itself transmits nothing.

Q: How do we verify this claim?

A:

  1. Open Chrome DevTools ? Network tab
  2. Load invantia.com (observe initial page load)
  3. Upload a test document
  4. Create a search query
  5. Generate results
  6. Result: Zero network requests during steps 3-5

Q: What about browser extensions or malware?

A: Invantia Desktop operates within standard browser security sandboxes. Malicious extensions could theoretically access any web app's data, but this is a browser-level concern, not specific to Invantia. Use corporate-managed browsers with vetted extensions.

Q: Can we run this on-premises?

A: Yes. Invantia Desktop is a static web application that can be served from internal corporate web servers. No backend infrastructure required�just host the HTML/CSS/JS files on any web server (nginx, Apache, IIS).

Q: What's the vendor's data retention policy?

A: Not applicable. Invantia (the vendor) never receives user documents, queries, or results. There is no vendor data retention because there is no vendor data collection.

Q: How do we handle data classification (Confidential, Secret, etc.)?

A: Since data never leaves the user's device, Invantia Desktop can process documents of any classification level, subject to your organization's policies on browser-based tools. Treat it like viewing a PDF in the browser�same risk profile.

Q: What about compliance (GDPR, HIPAA, SOC 2)?

A: Client-side processing means no data crosses compliance boundaries. The vendor (Invantia) is not a data processor under GDPR/HIPAA because they never access customer data. For SOC 2, there are no systems to audit�processing is local.

Security Testing Recommendations

For security teams performing due diligence, we recommend:

  1. Network Traffic Analysis:
    • Use Wireshark or browser DevTools to monitor all network requests
    • Upload sample documents and verify zero POST/PUT/PATCH requests
    • Confirm no DNS queries to third-party AI services (openai.com, anthropic.com, etc.)
  2. IndexedDB Inspection:
    • Chrome DevTools ? Application ? Storage ? IndexedDB ? InvantiaDB
    • Verify documents are stored locally in "documents" object store
    • Confirm vectors are computed locally in "vectors" object store
  3. Source Code Review:
    • All JavaScript is unminified and readable in browser DevTools
    • Search codebase for "fetch(", "XMLHttpRequest", "axios", "$.ajax" ? should only find static asset loading
    • Verify no WebSocket connections or Server-Sent Events
  4. Offline Testing:
    • Load invantia.com with network enabled
    • Disconnect from network (airplane mode)
    • Upload document, create search, generate results
    • Expected result: Full functionality with no network

Risk Assessment Summary

Risk Category Traditional SaaS Invantia Desktop
Data Exfiltration High - Documents sent to vendor servers None - No transmission occurs
Third-Party Breach High - Vendor database compromise None - No vendor storage
Man-in-the-Middle Medium - Sensitive data in transit Low - Only initial page load (HTTPS)
API Key Leakage High - AI service credentials None - No APIs used
Vendor Lock-In High - Proprietary data formats None - Standard browser storage
Compliance Violations Medium - Shared responsibility model None - Data stays local

Recommended Approval Language

For security teams comfortable with the assessment, here's suggested approval language:

"Invantia Desktop is approved for use with [classification level] documents. The application operates entirely client-side with no data transmission to vendor servers or third-party services. Users must manually control any data shared with external AI services by copy-pasting generated outputs. Standard browser security policies apply."

Alternative: Self-Hosted Deployment

For organizations requiring maximum control:

Option: Host Internally

Contact: enterprise@invantia.com for self-hosted deployment packages.

Still Have Questions?

Security teams can contact us directly: