Local-First Security for Sensitive Risk Data

A risk assessment documents your organisation’s most sensitive vulnerabilities. That data deserves the strongest possible protection — starting with never leaving your device.

Architecture

What “local-first” means

A local-first application stores and processes all data directly on the user’s device rather than sending it to a remote server. The application runs in the browser, reads from and writes to local storage, and performs all computation client-side. There is no back-end service involved in the core workflow.

This is architecturally different from “offline-capable” or “offline-first” cloud applications that cache data locally and sync when connectivity returns. In a true local-first application, there is no server to sync with at all — the user’s device is the single source of truth.

Open Risk Register is local-first by design. Every assessment you create is stored exclusively in your browser’s localStorage. No account is created. No API calls are made. No data is transmitted over the internet. The tool works identically whether you are online or offline.

Data sensitivity

Why risk assessment data is uniquely sensitive

Not all business data carries the same risk if exposed. A cybersecurity risk assessment is among the most sensitive documents an organisation produces — it is essentially a detailed map of your weaknesses, written for internal use.

Maps your vulnerabilities

A risk register explicitly identifies unpatched systems, weak access controls, inadequate backups, and other exploitable conditions. In the wrong hands, it is an attacker’s planning document.

Identifies key personnel and assets

Risk assessments often reference specific systems, network segments, and critical personnel by name. This information can support targeted social engineering or physical security attacks.

Has regulatory and legal implications

Under NIS2 and GDPR, risk assessment documentation may be subject to regulatory requests, legal discovery, or audit. Exposure of this data to a third-party vendor creates additional legal risk.

Cloud tool risks

The risks of cloud-based risk assessment tools

Many commercial risk management platforms store your assessment data on their servers. This convenience introduces several categories of risk that a local-first tool eliminates entirely.

Risks introduced by uploading risk data to a cloud tool:
  • Vendor data breach — If the risk tool vendor is compromised, your vulnerability mapping is exposed to the attackers. You have no control over the vendor’s security posture.
  • Legal and government access — Depending on the vendor’s jurisdiction, government agencies may compel disclosure of your data without your knowledge or consent.
  • Vendor lock-in — If the vendor ceases operations, changes pricing, or is acquired, you may lose access to your historical assessment data.
  • Data residency uncertainty — Many cloud tools store data on servers outside your jurisdiction, creating compliance issues under GDPR and NIS2.
  • Insider threat at vendor — Vendor employees with database access could read your risk data. Most vendor security policies do not give customers meaningful controls over this.
  • Account compromise — Credential theft, session hijacking, or phishing attacks against your account with the vendor can expose your entire risk history.
How it works

How browser localStorage protects your data

Browser localStorage is a key-value storage mechanism built into every modern browser. Data stored in localStorage is sandboxed to the specific origin (domain) that created it and is never transmitted to any server.

Origin-sandboxed

Data stored by openriskregister.org can only be read by JavaScript running on that same origin. Other websites, browser extensions (unless granted host permissions), and the browser itself cannot access it.

Never transmitted

localStorage data is not included in HTTP requests. Unlike cookies, it is never automatically sent to the server. Open Risk Register makes no network requests containing your assessment data.

Persistent until you clear it

Unlike sessionStorage, localStorage persists across browser sessions. Your assessments survive browser restarts and remain on your device until you explicitly clear site data or export and delete.

Backup strategy

Encrypted export as your backup strategy

The main limitation of localStorage is that it is tied to a specific browser on a specific device. Clearing browser data, reinstalling the browser, or switching devices will result in data loss. The mitigation is simple: export encrypted backups regularly.

Recommended backup practice:
  • Export encrypted backup after each session — Use the encrypted export function in the Results step to save a passphrase-protected copy of your full assessment. This file can be re-imported by entering the same passphrase.
  • Keep the passphrase separate — Store backup files and passphrases in different secure locations so a single compromise does not expose both.
  • Use JSON export only when needed for interoperability — JSON export is useful for integrations or manual analysis, but it is unencrypted by default and should be handled as sensitive data.
  • Do not store unencrypted exports in cloud storage — Uploading unencrypted assessment files to cloud drives reintroduces the same exposure risks that local-first is designed to eliminate.
  • Print to PDF for governance records — The print-to-PDF function produces a formatted report suitable for management sign-off, board reporting, or regulatory evidence. PDFs can be archived in your document management system.

Local-first does not mean fragile. With a disciplined encrypted-export practice, your risk assessment data remains both highly private and fully portable.

Keep your risk data where it belongs

Run your entire NIS2 risk assessment in the browser. Nothing leaves your device.

Open the Tool →