Help Center › Security & privacy
Security & privacy
The whole point of Ward is that your patient data stays with you. This page explains exactly how that works, where your data lives, how to back it up, and the few optional features that touch the network.
1. The local-first guarantee
The core SRA makes zero network calls and requires no account. Everything you enter is stored only in your own browser, on your own computer. There is no DosanjhLabs server that receives your answers — we cannot see them, because they are never sent.
You can verify this yourself: open your browser’s developer tools, watch the Network tab, and use the app. After the initial page and content files load, the assessment, scoring, exports, and the audit-binder ZIP all run with no outbound traffic. You can even disconnect from the internet and keep working.
2. Where your data lives
Ward saves to your browser’s localStorage — a private storage area scoped to the website, the browser, and the user profile. Practical implications:
| If you… | Then… |
|---|---|
| Reopen the app in the same browser | Your work is exactly where you left it. |
| Switch to a different browser or computer | Your data does not follow automatically — move it with Export/Import JSON. |
| Use a different OS user account / browser profile | Separate storage — the data won’t be there. |
| Clear your browsing data / site data / cache | Your assessment can be erased. Export a JSON backup first. |
| Use private/incognito mode | Data is usually discarded when you close the window. Don’t do real work in incognito. |
| Run multiple clients (MSP mode) | Each entity’s data is stored separately under the same browser. |
Because data is per-browser, treat the JSON export as your backup. Export regularly (especially before clearing browser data, changing computers, or a browser update) — see Troubleshooting → Data persistence.
3. Integrity checksums
HIPAA’s integrity controls (45 CFR 164.312(c)(1)) are about detecting improper alteration of data. Ward applies that idea to the assessment record itself:
- Every time Ward saves a record, it also stores a small checksum (a non-cryptographic FNV-1a hash computed in your browser).
- When Ward loads that record, it recomputes the checksum and compares.
- If they don’t match — meaning the stored value was changed outside Ward (corrupted, or hand-edited in
localStorage) — Ward shows a one-time toast: “⚠ Integrity check: ‘[record]’ was modified outside Ward — review it.”
This keeps a tampered or corrupted record from silently driving a wrong risk score. The checksum is computed locally and never sent anywhere. It is an integrity tripwire, not encryption — it doesn’t prevent edits, it surfaces them so you can review.
If you see this warning and didn’t hand-edit anything, the stored value may be corrupted. Re-check the affected area, and if needed re-import a known-good JSON backup.
4. The PHI boundary
Ward separates two kinds of data:
| Structured “control state” | Free-text that could contain PHI |
|---|---|
| Categorical answers (Yes/Partial/No/N/A), risk ratings (likelihood/impact/level/score/threat), 2026 readiness status, CFR references. | Per-question notes, the org/officer/assessor/scope fields, vendor names, training rosters, asset names. |
This boundary is what makes the optional features safe:
- Optional cloud sync only ever sends the structured control state — never the free-text fields. There is deliberately no internal way for the cloud module to read your notes, org fields, vendors, training, or snapshots.
- Optional AI assist builds prompts only from structured, non-PHI control content. It has no code path that puts your notes or other free text into a prompt, and a defense-in-depth scrubber blocks any prompt that looks like it contains a patient identifier before it can be sent.
Both are off by default. With neither enabled, Ward stays 100% local. See section 6.
5. Backup, export & reset
The Data tab is your control panel:
- ⬇ Export assessment (JSON) — downloads a complete backup of the current entity (answers, risks, org, vendors, training, snapshots, assets, per-mandate POA&M). Do this regularly.
- ⬆ Import assessment (JSON) — loads a JSON backup into the current entity. Use it to move work between browsers/computers, or to restore.
- Reset this client — erases all data for the current entity (after a confirmation). Export first if you might want it back.
You can also Delete an entire entity from the Client/entity bar at the top (you must keep at least one). Deleting an entity removes its stored records and their integrity checksums.
Reset and Delete are permanent. There is no cloud copy to restore from unless you’ve exported a JSON backup. Export before you reset or delete.
6. Optional cloud & AI (off by default)
Ward has two opt-in capabilities that use the network. Neither is required, and the free, local-first SRA is fully usable without them:
| Feature | What it does | PHI? |
|---|---|---|
| Sign in / Cloud tab | An opt-in Pro/cloud tier (account sign-in, sync of control state only, MSP/white-label, evidence publishing). The sign-in code only contacts the network when you click “Sign in”; signed out, it makes zero calls. If the module isn’t available, Ward keeps working unchanged. | Never. Only structured control state syncs. |
| AI assist tab | A bring-your-own-key AI helper that drafts remediation language and explains controls. Off until you paste your own provider key. | Never. PHI-scrubbed, structured prompts only. |
7. The AI assistant in detail
The optional AI assist feature is client-direct and bring-your-own-key:
- You paste your own API key (OpenAI, Anthropic, or OpenRouter). It is stored only in your browser’s
localStorage. - Your browser calls the provider’s API directly — never through a DosanjhLabs server.
- It powers three optional, explicitly-triggered helpers: “Explain this control,” “Draft remediation,” and “Draft risk statement.” Output is labeled “AI-drafted — review before adopting” and only applied when you click Use this.
- Prompts are built only from structured control content (question text, CFR citation, safeguard area, your categorical answer, the selected threat/rating). A PHI scrubber blocks any prompt that looks like it contains an SSN, MRN, email, phone, DOB-like date, or street address.
- You can test the connection and forget the key at any time from the AI tab.
If you use AI, you’re using your own provider account. Their terms and any usage costs are between you and them. Ward sends only non-PHI control content, but you remain responsible for reviewing AI output before adopting it. If you do nothing, AI stays off and Ward stays fully local.
8. Not legal or compliance advice
Ward is a self-assessment aid — not legal advice, not compliance advice, and not an official OCR audit. Completing the SRA, raising your readiness score, or generating the audit binder does not by itself make you HIPAA-compliant. The 2026 content reflects the proposed rule (December 2024 NPRM) and may change before it is finalized. Always confirm your specific obligations with qualified legal and compliance professionals.