Sift Data cleaning for CRM imports

Privacy and security

Your file never leaves your browser. Here is how to check.

Cleaning a customer list means handling names, emails, and phone numbers, real people's data. So the honest question is not "do you promise it's private", it's "can I prove it". You can. Sift is a static web app with no backend: your file is read and cleaned entirely in your own browser, on your own device, and its contents are never uploaded. Below are three tests you can run yourself, and the exact security policy that enforces it. Verifiable, not claimed.

Open Sift and try the tests โ†’

Test 1: The devtools test

Watch every network request the app makes, and confirm your file is not in any of them.

  1. Open Sift, then open your browser's developer tools (F12, or right-click โ†’ Inspect).
  2. Go to the Network tab and, if offered, tick "Preserve log".
  3. Drop in a CSV or Excel file and run any cleanup, dedupe, or export.
  4. Scan the request list. You will see the page's own files load, and small analytics pings. You will not see a request that uploads your file, no POST carrying your rows, no request body with your contacts in it. Click any request and read its payload to confirm.

Test 2: The offline test

The simplest proof of all. If the app can clean your file with the internet switched off, the cleaning is obviously happening on your device, not on a server.

  1. Open Sift and let the page finish loading.
  2. Turn off your internet, unplug the cable, switch off Wi-Fi, or enable airplane mode.
  3. Drop in your file and clean, dedupe, map, and export as normal.
  4. It all still works. A tool that uploaded your data to a server could not do this.

Test 3: Read the policy that enforces it

A browser will only open network connections that a page's Content-Security-Policy allows. Sift sends a strict one that blocks the browser from connecting anywhere except the app's own host, its analytics endpoint, and its signup endpoint, so there is no path for your file to be sent to some third party even by accident. This is the real header the site serves; you can confirm it in the Network tab on the main document's response headers:

Content-Security-Policy:
  default-src 'self';
  script-src 'self';
  style-src 'self' 'unsafe-inline';
  img-src 'self' data: blob:;
  connect-src 'self' https://eu.i.posthog.com
              https://eu-assets.i.posthog.com https://*.supabase.co;
  worker-src 'self' blob:;
  object-src 'none'; base-uri 'self';
  form-action 'none'; frame-ancestors 'none'

The line that matters for your data is connect-src: it is the allowlist of hosts the browser may contact. It permits only Sift's own origin, the analytics endpoint, and the signup endpoint. There is nowhere for your file to go.

So what does leave my device?

Two things, and being straight about them is the point, because neither one contains your file's contents:

That is the whole list. Your contact data, the file you came here to clean, is never in either.

Why this design: Sift has no backend that receives files, so there is simply no server that could store, leak, or be breached with your customer list. The safest place for sensitive data is a place it never travels to. That is not a promise we are asking you to trust; it is something the three tests above let you verify in about two minutes.

Related guides