Security & Privacy | DORA Register of Information

The DORA Register of Information contains highly sensitive data about your ICT infrastructure, contracts, and operational resilience. This page explains how DORA RoI protects your data.

Zero-trust data architecture

DORA RoI is built on a client-only architecture. All data processing, validation, and export happen exclusively in your browser. No register data is ever transmitted to, processed by, or stored on any server. Your data never leaves your device.

Data Storage Network Threat Model Recommendations

Data Storage Architecture

All register data lives in your browser's localStorage — a sandboxed storage mechanism isolated per domain. No other website can access it.

Storage	What Is Stored	Lifetime
`localStorage` Register	All 15 template datasets, rows, cell values	Until manually cleared or browser reset
`localStorage` Settings	LEI, entity name, country, reporting type, date, currency	Until manually cleared
`localStorage` Auth	Email address for access gate	Until sign-out
In-memory only	Validation results, import data, UI state	Lost on page refresh / tab close

What is NOT stored on any server

No server-side databases for register data

No cloud storage for register data

No cookies with register data

No analytics or tracking

Network Security

After initial page load, DORA RoI makes zero network requests with your register data. You can verify this in the browser DevTools Network tab.

Request	Purpose	Register Data?
Initial page load	HTML, JS, CSS assets	No
`POST /api/gate`	Email verification and access	No — email only
`POST /api/gate/logout`	Sign out	No
Next.js prefetch	Client routing optimization	No

Audit tip

Use your browser DevTools Network tab or your organization's web proxy / DLP tools to verify: there are no hidden API calls, beacons, or telemetry endpoints.

Client-Side Processing

Validation Engine

Four-layer engine runs entirely in the browser: Technical, DPM, Business Logic, EBA Rules. Complete rule set is bundled in JS.

Export Engine

xBRL-CSV ZIP generated client-side via fflate. File downloads directly — no upload occurs.

Import Parser

Excel files parsed via xlsx library in-browser. File content never leaves the browser tab.

Access Gate

Email-based allowlist. Session cookie authenticates page loads but carries zero register data.

Important

The access gate controls who can access the app UI, but does not encrypt localStorage. Anyone with physical access to the browser can view data. See recommendations below.

Data Protection

Data in Transit

All communication encrypted via TLS 1.2+ (HTTPS). Since no register data is transmitted, HTTPS primarily protects session credentials and app code.

Data at Rest

Unencrypted — plain text on disk
Origin-isolated — same-origin policy
User-scoped — per browser profile
Not synced — no Chrome/Firefox Sync

Threat Model

Key threats, their mitigation, and residual risk:

Threat	Mitigation	Risk
Server-side data breach	No register data stored server-side	Eliminated
Man-in-the-middle	HTTPS; no register data in transit	Minimal
XSS	React auto-escaping; CSP headers	Low
CSRF	No state-changing server endpoints for register data	Eliminated
Physical device access	Access gate; browser profile isolation	Medium
Malicious browser extension	Origin isolation	Medium
Supply chain attack (JS dependency)	Minimal dependency footprint	Low
Accidental data loss	JSON backup + Excel re-import	Low

Security Recommendations

For Organizations

Dedicated browser profile

Isolates localStorage from general browsing and reduces extension attack surface.

Full-disk encryption

Enable BitLocker (Win), FileVault (Mac), or LUKS (Linux) to protect unencrypted localStorage on disk.

Regular JSON backups

Use Settings → Data Backup before major changes. Store backups in encrypted locations.

Audit browser extensions

Remove extensions with broad permissions ("Read and change all data on all websites").

Lock your device

Primary defense against physical access. Always lock when stepping away.

Clear data after submission

Clear browser data between reporting periods if the tool is not actively used.

Secure export files

Treat ZIP and JSON exports as confidential. Store in encrypted / access-controlled systems.

Restrict outbound traffic

Optional defense-in-depth: the app works on restricted networks since no data is transmitted.

For IT Security Teams

Verify zero-transmission

Use web proxy / DLP to confirm no outbound register data.

Review CSP headers

App ships with Content Security Policy restricting script sources.

Endpoint protection

Ensure workstations are covered by EDR/XDR for extension monitoring.

Classify export files

Add DORA register exports to your data classification scheme (Confidential/Internal).

Compliance

GDPR

Register data (ICT contracts, provider details, signatories) is processed and stored entirely in your browser. For register data, DORA RoI does not act as data processor or controller — the financial entity retains full control.

Access data (email address) is collected to provide access to the tool and is stored in our CRM (HubSpot). For this data, FromCISO acts as the data controller. See our Privacy Policy for full details.

DORA Article 28(3)

Requires registers in a format enabling effective supervisory review. The xBRL-CSV export meets the EBA's technical specification for DORA reporting.

Internal Audit

Access control effectiveness

Backup & recovery procedures

Data accuracy validation

Export file handling

Data retention & disposal

Incident Response

Scenario	Action
Unauthorized browser access	Export backup, clear browser data, change access gate credentials, audit extensions
Lost or stolen device	If full-disk encryption was on: minimal risk. If not: treat data as compromised, follow your data breach procedures.
Accidental data deletion	Restore from JSON backup via Settings → Data Backup → Restore
Suspicious extension detected	Remove extension, export backup, clear localStorage, re-import in clean profile

Architecture

┌─ BROWSER (your device) ────────────────┐     ┌─ SERVER ──────────┐
│                                        │     │                   │
│  ┌──────────────┐  ┌───────────────┐   │     │  Next.js App      │
│  │ Register     │  │ Validation    │   │     │  (static assets)  │
│  │ Data         │  │ Engine        │   │     │                   │
│  │ localStorage │  │ (4 layers)    │   │ TLS │  /api/gate         │
│  └──────────────┘  └───────────────┘   │◄════►│  /api/gate/logout │
│                                        │     │                   │
│  ┌──────────────┐  ┌───────────────┐   │     │  → HubSpot API    │
│  │ Settings     │  │ Export Engine  │   │     │    (email only)   │
│  │ localStorage │  │ (fflate ZIP)  │   │     │                   │
│  └──────────────┘  └───────────────┘   │     │  No register data │
│                                        │     │  stored or        │
│  ┌──────────────┐  ┌───────────────┐   │     │  processed here   │
│  │ Import       │  │ React UI      │   │     │                   │
│  │ Parser       │  │ Components    │   │     └───────────────────┘
│  │ (in-memory)  │  │               │   │
│  └──────────────┘  └───────────────┘   │
│                                        │
│  All data processing is LOCAL          │
│  Register data never leaves this box   │
└────────────────────────────────────────┘