# Security and privacy

> Recense is local-first by default — parsing, tabulation, and analysis run in your browser. Cloud projects and cloud datasets are encrypted on your machine before upload, and enterprise hosted compute only applies to datasets your organisation explicitly publishes.

*Source:* https://recense.ai/docs/security-and-privacy

## How data is handled

- Your browser: all data parsing, tabulation, and analysis happen locally. Raw survey data stays on your machine.
- Recense servers: handle authentication, billing, encrypted storage, cloud dataset catalog metadata, the built-in agent, and enterprise hosted compute for explicitly published datasets.
- Remote raw-data access is not available in the hosted product.

## Encryption

- Local projects: optional encryption for exported .recense files.
- Cloud projects: encrypted on your machine before upload. The server stores only encrypted data.
- Cloud datasets: encrypted on your machine before upload. The server stores ciphertext plus catalog metadata needed for your organisation to browse them.
- In transit: all connections over HTTPS.
- API keys (BYOK): stored in your browser, encrypted at rest.

## What the server sees

- **Survey responses / raw data** — Not in plaintext for the standard cloud dataset library. Enterprise hosted compute processes only datasets your organisation has explicitly published, and remote raw-data access remains disabled.
- **Variable names, labels, structure** — Local-first by default. Hosted semantic variable search sends variable names, labels, and selected value labels to OpenAI only if your organisation enables it.
- **Cloud dataset catalog metadata** — Yes. Dataset names, filenames, formats, sizes, and timestamps stay server-visible so organisation members can browse the library.
- **Table configurations and canvas layout** — In cloud-saved projects (encrypted).
- **Agent conversations (built-in mode)** — Passed to the AI provider, not stored by Recense.
- **Agent conversations (BYOK)** — Never — your browser calls the provider directly.
- **Account, billing, usage metrics** — Yes.

## AI and your data

- BYOK mode: your browser calls the AI provider directly. Recense servers are not in the path.
- Built-in mode: requests go through Recense to the AI provider. Conversation content is not stored by Recense.
- MCP mode offers two paths: the browser relay for live-session context, and enterprise hosted compute for explicitly published datasets.
- Hosted semantic variable search is optional. When enabled by an organisation admin, variable names, labels, and selected value labels are sent to OpenAI to build embeddings.
- AI training: Recense does not use your data for AI model training. This is explicit in the privacy policy.

## Compliance

- GDPR: lawful basis documented per processing activity. Data subject rights requests (access, deletion, portability) are handled by email.
- CCPA/CPRA: California privacy rights supported.
- Cookies: only session cookies. No analytics or tracking cookies.

## Work-local mode

Organisations that require local-only operation can enable work-local mode, which disables cloud saves, hosted agent, and hosted smart prep. BYOK agent and local MCP remain available.

## Next steps

- **[Save and manage projects](/docs/projects-and-saving)** — Local export, cloud save, and encryption preferences.
- **[Team and billing](/docs/team-and-billing)** — Plans, MCP allowances, and SSO eligibility.
- **[Bring your own keys (BYOK)](/docs/bring-your-own-keys)** — Keep agent traffic off Recense by using your own provider key.