It is customary for companies to require in-depth security reviews for web-based software vendors, because sensitive customer datasets end up on cloud servers that are exposed to attack and breach. But what if your data never leaves your machine?

With Spendata, your company's data never moves anywhere. It stays on your machine, inside your company's firewall. Spendata doesn't have a server per se (other than for license administration and to download the Spendata application to your browser). All computation is performed locally, on your machine. Your data is stored locally, on your machine. If you choose to move your data elsewhere, that's up to you. Spendata doesn't involve itself in the process.

When you engage with Spendata Services and your datasets are confidential, we perform all work on virtual or physical machines that reside (physically or virtually) inside your security infrastructure. Your data never leaves your secured environment.

This makes a "security review" of Spendata an easy meeting. That can be important, because some corporate security reviews generate internal chargebacks in excess of 5 or 6 figures, potentially doubling the cost of the application. Since with Spendata no data leaves your company's secured infrastructure, the usual security issues relating to handling of that data become irrelevant.

Of course, since Spendata has no access to your data, compliance with GDPR, HIPAA, and similar privacy regulations is a no-brainer.

For non-US users of web-based applications, data security issues can be more complex. Even if a security review is passed successfully, under the Patriot Act the United States government may have the right to compel a software vendor based in the US (or with assets in the US, or with data stored on a US-based server) to produce its customers' data. Some readers of the Act argue that this right also applies to data that is held on servers that aren't physically located in the United States.

Since Spendata has no access to customer data, the US government can demand whatever it likes, but no data will be forthcoming.