WorkLens
    ONE PLATFORM. EVERY STANDARD.

    Security Architecture

    WorkLens is built on a zero-trust, zero-server architecture. Your files never leave your browser.

    Core Principle

    Zero data leaves your machine. Zero server. Zero upload. Zero exceptions.

    8 Security Layers

    1

    Blocked External Scripts

    Only code from WorkLens is allowed to run. Third-party scripts, tracking pixels, and injected code are blocked by Content Security Policy.

    2

    Tab Isolation

    Your browser tab is fully isolated using COEP and COOP headers. Other tabs, websites, and extensions cannot access your file data.

    3

    Network Disabled During Scan

    Once the detection engine starts, all network access is turned off. Your data physically cannot be transmitted — even if someone tried.

    4

    Secure Memory Wipe

    When you close a scan, your file is overwritten four times (zeros, ones, random, zeros) before being released from memory. No trace remains.

    5

    Sandboxed Engine

    The detection engine runs inside a WebAssembly sandbox — completely separated from the rest of the page, your filesystem, and the internet.

    6

    Cross-Site Request Protection

    All API endpoints verify request origin to prevent cross-site attacks. Rate limiting blocks brute-force attempts (5 per minute per IP, 3 per email).

    7

    Signed Audit Trail

    Every scan produces an Ed25519 digital signature that proves the receipt was generated by WorkLens and has not been tampered with. Verify at theworklens.com/verify.

    8

    Worker Integrity Verification

    Critical worker files are verified against SHA-256 hashes before execution. If a file has been tampered with, it will not run.

    How AI Detection Works

    Results appear instantly

    Pattern matching runs immediately when you drop a file. It catches emails, phone numbers, credit cards, tax IDs, and 20+ structured types.

    AI loads in the background

    A 175MB AI model downloads once and is cached in your browser. On future visits, it loads instantly from cache.

    Works completely offline

    After the first visit, everything runs from cache. Disconnect your internet — scanning still works.

    Pattern detection always works

    Even if the AI model fails to load, pattern matching catches structured PII like emails, phone numbers, and ID numbers.

    Verify It Yourself

    Open Chrome DevTools → Network tab → scan a file. You will see zero outbound requests containing file data. Open the Console and type crossOriginIsolated — it returns true, confirming tab isolation. Disconnect your internet and scan again — everything still works.

    Report security issues to security@theworklens.com