This page provides a technical and security compliance overview of SankeyEngine for Excel, intended to support enterprise evaluation, IT governance, and security review. Each release is versioned and includes an internal Build Manifest aligned with ISO/IEC 27001 A.12.1.2, providing controlled change management and verifiable build integrity.
Product: SankeyEngine for Excel
Developer: Visual Analytics Ltd.
Date: May, 2026
Compliance Overview: Executive Snapshot
The design of SankeyEngine deliberately avoids external services, background processes, and runtime dependencies. This minimizes operational risk, simplifies deployment, and allows the add-in to be evaluated and used within restricted or regulated enterprise environments.
| Domain | Compliance Statement |
|---|---|
| Execution Model | 100% local; no cloud or network dependencies |
| Security | No external communication, telemetry, or persistent state |
| Privacy | No personal data processed or transmitted |
| Integrity | Build integrity verified via SHA-256 checksum |
| Governance | GPO-deployable; versioned and auditable |
| Lifecycle | Standalone tool with no expiration |
| Finance | No subscriptions; no recurring fees |
Detailed compliance sections
1. System Architecture and Local Execution
- The add-in operates within the Microsoft Excel process (EXCEL.EXE) as a standard Excel add-in.
- No internet, intranet, or external API connections are ever established, eliminating network exposure risks.
- The add-in performs no telemetry, remote logging, or background network activity, preventing any unintended data transmission.
- All computations and data processing occur entirely within the user’s local workbook memory space, preserving data confidentiality within the Excel runtime.
- Uninstallation is equivalent to file deletion – no residual files, configuration data, or registry entries remain on the system.
- Installation is supported in both local and read-only network directories governed by Group Policy, enabling centralized IT control.
- The add-in requires no administrative privileges, supporting deployment in restricted or managed enterprise environments.
This design ensures no interaction with the operating system beyond standard Excel add-in execution and no communication with external networks.
2. Security and Privacy Controls Alignment
| Framework | Control Reference | Implementation in SankeyEngine |
|---|---|---|
| ISO 27001 | A.12.1.2 – Change Management | Controlled release process with versioned build manifests. |
| ISO 27001 | A.9.2.3 – User Responsibilities | Operates under standard user privileges; no administrative elevation required. |
| NIST SP 800-53 | SI-7 – Software Integrity | Build integrity verified via SHA-256 checksum and reproducible source builds. |
| NIST SP 800-53 | PL-8 – Information Security Architecture | Fully local execution with no external data flows or dependencies. |
| GDPR | Art. 25 – Privacy by Design and by Default | No personal data is collected, transmitted, or processed. |
| CIS Control | 2.7 – Authorized Software Inventory | Add-in identifiable through cryptographic hash and signed release manifest. |
3. Organisational Deployment and IT Governance
- Deployable by Group Policy Object (GPO) from a centrally managed read-only share.
- Compatible with enterprise macro-security settings (allow signed or trusted add-ins only).
- Version control and update management handled internally by customer IT.
- Optional SHA-256 hash verification on deployment ensures file authenticity.
- Fully supports enterprise baselines prohibiting persistent local state.
4. Software Integrity and Verification
Each release is produced from human-readable source code under controlled versioning. The distributed binaries are provided in compiled form. No runtime obfuscation or self-modifying code is used; source access and intellectual property are managed separately. Build-time protections are applied without affecting runtime behaviour or auditability.
Verification model:
- Integrity is verified via published SHA-256 checksum
. - Source code access may be provided for security review under controlled conditions.
- Visual Analytics Ltd. retains full intellectual-property rights while supporting transparency and auditability.
- Distribution occurs via controlled, integrity-preserving channels.
5. Data Protection and GDPR Considerations
- The add-in performs no processing, storage, or transmission of personal data as defined in GDPR Article 4(1).
- All operations occur locally within Excel’s runtime; no personal information leaves the user’s workstation.
- Visual Analytics Ltd. acts neither as Data Controller nor as Data Processor under GDPR.
- Product design complies with the GDPR principles of lawfulness, fairness, transparency, purpose limitation, and data minimization.
- Data Protection Impact Assessment (DPIA) is not required due to absence of personal-data processing.
6. Auditability and Change Management
- All releases are versioned and traceable through internal change logs.
- Each release includes:
- Build manifest with component SHA-256 checksums.
- Reviewed and documented source headers.
- Independent internal review prior to release.
- Reproducible build procedure ensures deterministic output from verified sources.
Appendix A – SHA-256 Verification Model
Integrity Verification. Each published build ships with a SHA-256 checksum. Offline verification provides tamper-evident assurance without relying on third-party certificate infrastructure or online validation. Customers can independently recompute the hash using standard OS tools (examples below). This method aligns with integrity-control objectives in NIST SP 800-53 SI-7 and ISO/IEC 27001 A.12.5.1 for controlled, offline deployments.
Appendix B – GDPR
The add-in itself does not collect, process, or transmit personal data as defined in GDPR Art. 4(1); all operations occur locally within Excel’s runtime. Visual Analytics Ltd. acts neither as a Controller nor a Processor for the add-in’s runtime. Separate interactions (e.g., support emails, licensing records) are out of scope and follow our general privacy notice. Given the offline design, a DPIA is typically not required, but customers should confirm per internal policy.
7. Contact and Legal Information
Visual Analytics Ltd.
7 Bell Yard, London, England, WC2A 2JR
[email protected]
© 2026 Visual Analytics Ltd. All rights reserved.