Help Center / Security & privacy
Security & privacy
Bastion is local-first by design. This page explains exactly how your data is handled, why CUI never leaves your machine, and how to back up and move your work safely.
On this page
1. Local-first architecture
Bastion is static files — HTML, CSS, and vanilla JavaScript — with no backend. The only network requests it makes are to load its own bundled control data (assets/data/*.json) from the same origin it's served from. There is:
- No server that receives your assessment.
- No sign-up, account, or login.
- No analytics, telemetry, or tracking.
- No third-party calls with your data.
2. Zero CUI egress
Everything you enter — statuses, notes, evidence, org details, affirmations — stays on your device. The places people worry about data leaving are all handled locally:
| Action | What actually happens |
|---|---|
| Attaching an evidence file | Hashed in-browser (SubtleCrypto); bytes discarded. No upload. See evidence vault. |
| Generating an SSP / POA&M / bundle | Assembled in-browser and saved as a local download. |
| Computing the integrity hash | Computed locally over the export text. |
| Importing Sightline / Cairn evidence | You choose a local JSON file; it's parsed in-browser. Nothing is fetched from those services by Bastion. |
| Exporting / importing your assessment | Local file download / local file pick. No transmission. |
3. Where your data lives
Your assessment is stored in this browser's localStorage, namespaced per system profile. Each profile keeps its own assessment, org details, score history, planned remediations, affirmation, level, and triage answers. Switching profiles swaps the active data set; deleting a profile removes its data.
Because storage is per-browser and per-device, your work is not synced anywhere. Clearing site data, using a different browser, or switching computers means starting fresh — unless you've exported a JSON backup. Treat the JSON export as your real save file.
4. Hashing & integrity
Bastion uses the browser's Web Crypto API (crypto.subtle) for two things: hashing attached evidence files and stamping each exported bundle with a SHA-256 integrity hash. Both run entirely locally. The bundle hash lets a recipient confirm the file wasn't altered after handoff (see the integrity hash).
Secure-context note. crypto.subtle is only available in a secure context — https:// or http://localhost. If you open Bastion over plain http:// on a non-localhost address, hashing may be unavailable: file attaches still work but without a hash, and bundles export without the integrity line. Use HTTPS or localhost to get full integrity features.
5. Redaction for sharing
When you must share a package outside your CUI boundary, use the redacted export. It strips operator-entered free text (notes, evidence locations, reference names, scope/description) while keeping structural facts (status, scores, ownership, dates, and attached-file hashes). See export redaction.
6. Backup & restore
Your assessment is only as safe as your last export. The Data tab handles backup and migration:
Export regularly — at least after each significant work session. The JSON is plain and portable, so you can also keep it in your own version control or secure document store inside your CUI boundary.
7. Shared-machine hygiene
- On a shared or public computer, remember the data sits in that browser's localStorage. Reset the profile (Data tab) or clear site data when you're done, after exporting your JSON.
- The JSON backup and unredacted exports may contain CUI-adjacent free text — store and transmit them only inside your assessment boundary, the same as any CUI artifact.
- Use the redacted export whenever a copy needs to leave that boundary.