Security and data handling
Statement Engine handles financial planning inputs, so the public security boundary should be easy to inspect. This page describes the current design in plain language. It is not a formal security audit, but it gives users and reviewers a concrete place to check data handling assumptions.
1) Account and storage boundary
- No user account is required for the public web forecast.
- The service does not intentionally provide server-side scenario library storage by default.
- Do not enter highly confidential, regulated, or personally sensitive data unless you have reviewed the hosting setup.
2) API processing boundary
Forecast payloads and trial balance CSV imports are sent to the configured calculation API for forecast generation, roll-forward, import mapping, rewarded export unlocks, issue reporting, and Excel output. The static frontend is served separately from the API.
3) Feedback and issue reporting
Issue reports are intended to be compact. The feedback endpoint stores a short issue type, detail, page URL, context metadata, and user agent. It is not designed to collect full forecast payloads by default.
4) Browser security headers
The application server sends restrictive headers for common browser risks, including frame blocking, content-type sniffing protection, referrer policy, and content security policy entries for the known application and advertising scripts.
5) External scripts and advertising
Google advertising scripts may be present for AdSense or rewarded export experiments. Forecast inputs should not be treated as advertising-personalization data by the application design, and pricing boundaries are documented separately.
6) Recommended user practice
- Use anonymized or rounded figures for early evaluation when possible.
- Review calculation outputs before exporting Excel or sharing externally.
- Keep sensitive scenario governance outside the public web preview unless your organization has approved the hosting setup.
日本語メモ
Statement Engineは、公開Web予測でユーザーアカウントを必須にせず、標準ではサーバー側にシナリオ保管庫を提供しない設計です。 CSV取込や予測計算、Excel出力ではAPIにデータが送信されます。機密性の高い情報は、ホスティング、保存、社内ルールを確認したうえで扱ってください。