March 22, 2026 Insights 9 min read

Why Our Free Cybersecurity Assessment Doesn't Collect Your Data

By Cybersecurity Canada Editorial Team | Published March 22, 2026

When a tool asks you to evaluate your organization's cybersecurity weaknesses, you are — by definition — documenting sensitive information. Which controls you lack, where your gaps are, what you haven't implemented yet. That information has value, and in the wrong hands, it could be used against you.

Most online assessment tools require an email address before showing results. Many store your responses on their servers, use your answers to generate sales leads, or share aggregated data with third parties. We built our free cybersecurity assessment differently. It collects nothing. Here is exactly how it works.

How the Assessment Actually Works

Everything Runs in Your Browser

The entire assessment — all 50 questions, all scoring, all recommendations — runs locally in your web browser using JavaScript. When you select an answer, it is processed on your device. When your results are calculated, that calculation happens on your device. At no point are your answers transmitted to our servers or any third-party service.

This is not a marketing claim. It is an architectural decision. The assessment is a static website hosted on AWS infrastructure in Canada. There is no database behind it. There is no API endpoint receiving your answers. There is no server-side code processing your responses. The JavaScript that powers the assessment is delivered to your browser, and everything happens locally from that point forward.

Anyone with web development knowledge can verify this by inspecting the network traffic in their browser's developer tools while taking the assessment. They will see zero outbound requests containing assessment data.

Your Progress Is Saved Locally — and Deleted Automatically

If you start the assessment and close your browser tab before finishing, your progress is saved to your browser's local storage — a standard browser feature that keeps data on your device, not on a server. This allows you to resume where you left off without re-answering questions.

This saved progress is automatically deleted after 48 hours or when you complete the assessment — whichever comes first. We chose 48 hours because it gives you enough time to return to the assessment if you're interrupted, without leaving sensitive data on your device indefinitely. After that window, the data is gone permanently. There is no backup, no server copy, and no way for us to recover it — because we never had it in the first place.

PDF Generation Is Local Too

When you use the option to save your results as a PDF, that document is generated entirely in your browser using a client-side library called html2pdf.js. The PDF is built in your browser's memory and downloaded directly to your device. It is never uploaded to our servers or processed externally.

The same applies to the print function — it uses your browser's built-in print capability. No data leaves your device.

Why We Built It This Way

A Cybersecurity Tool Should Not Create Cybersecurity Risk

There is an inherent contradiction in asking a business to document its security weaknesses and then storing that information on a server. If our assessment collected and stored your responses, we would be creating a database of exactly which security controls Canadian businesses are missing — a target that would be valuable to threat actors.

We eliminated that risk by ensuring the data never exists anywhere except your browser, for a maximum of 48 hours.

Privacy Law Alignment

Under PIPEDA, organizations that collect personal information must protect it with appropriate safeguards, report breaches, and comply with access and correction requests. The simplest way to comply with these obligations is to not collect the data in the first place.

Our approach aligns with PIPEDA's limiting collection principle — one of the 10 fair information principles at the foundation of Canadian privacy law. You should only collect personal information that is necessary for an identified purpose. Since we can deliver a complete assessment experience without collecting any personal information, there is no justification for collecting it.

This also means there is no breach risk associated with your assessment data. We cannot lose, expose, or have stolen what we do not have.

Trust Should Not Require a Leap of Faith

If you are evaluating a cybersecurity resource, you should be able to verify its claims — not just take them on trust. Our client-side architecture means you can verify that we do not collect your data using the same browser developer tools that any IT professional already knows. Open the Network tab, take the assessment, and confirm for yourself that no assessment data is transmitted.

We believe this transparency is the appropriate standard for a cybersecurity tool.

What We Do and Don't Know

To be fully transparent, here is what we can and cannot see:

What We Cannot See

• Your answers to any assessment question
• Your assessment score or grade
• Your results or recommendations
• Your name, email, phone number, or any identifying information
• Which specific questions you answered or how long you spent on each one

What We Can See (Through Google Analytics)

Like most websites, we use Google Analytics (GA4) to understand general website traffic:

• How many people visit the site and which pages they view
• Browser type, operating system, and screen resolution
• Approximate city-level location (IP addresses are anonymized before storage)
• How visitors arrived at the site (search engine, direct visit, referral)
• General time spent on pages

Google Analytics data is retained for 14 months and then automatically deleted. It does not capture any assessment-specific data — your answers, scores, and results are invisible to GA4 because they exist only in your browser's JavaScript execution context, not in page URLs or form submissions.

We do not use advertising cookies, remarketing pixels, social media trackers, or any other tracking technology beyond GA4.

How This Compares to Other Assessment Tools

Many online cybersecurity assessments — including those offered by vendors and consulting firms — operate differently:

• Email-gated results: You complete the assessment, but your results are withheld until you provide an email address. Your answers and contact information are then used for sales outreach.
• Server-side processing: Your answers are transmitted to and stored on the provider's servers, where they may be retained indefinitely, used for research, or shared with partners.
• Lead scoring: Your answers are analyzed not just to produce your results, but to qualify you as a sales lead. Businesses that score poorly may receive more aggressive follow-up because their gaps represent a sales opportunity.

Our assessment does none of this. There is no email gate. There is no account creation. There is no follow-up. You take the assessment, you get your results, and you decide what to do with them.

The Connection to Your Broader Security Posture

The privacy architecture of the assessment reflects the same principles that the assessment itself evaluates. The Canadian Centre for Cyber Security's Baseline Controls include:

• Access Control (BC.12) — Limiting access to information based on need. Our architecture ensures that only you have access to your assessment data.
• Secure Configuration (BC.4) — Designing systems to minimize unnecessary data exposure. The assessment was designed from the ground up to avoid collecting data it does not need.
• Cloud Services Security (BC.10) — Understanding where your data goes when you use cloud-based tools. With our assessment, your data goes nowhere — it stays on your device.

If you have not yet evaluated your organization's cybersecurity posture, the assessment takes under 30 minutes and covers all 13 Baseline Control areas. Your results include a compliance percentage, a letter grade, a per-control breakdown, and specific recommendations — all generated locally and available only to you.

Frequently Asked Questions

Does the assessment collect my email address?

No. The assessment does not ask for or collect your email address, name, phone number, or any other personal information at any point. You can take the assessment and receive your full results without providing any identifying information.

Where are my assessment answers stored?

Your answers are stored temporarily in your browser's local storage — a standard feature that keeps data on your device, not on a server. This data is automatically deleted after 48 hours or when you complete the assessment. Your answers are never transmitted to our servers or any third-party service.

Can you see my assessment results?

No. All scoring and result generation happens in your browser using JavaScript. Your answers, score, grade, and recommendations are never transmitted to our servers. We have no way to see, access, or recover your results — because we never receive them.

How can I verify that no data is being sent?

You can verify this yourself using your browser's built-in developer tools. Open the Network tab (press F12 in most browsers, then click "Network"), take the assessment, and observe the network requests. You will see that no requests containing assessment data are sent to any server. The assessment JavaScript is loaded once, and all processing happens locally.

Is the PDF export private too?

Yes. The PDF is generated entirely in your browser using a client-side JavaScript library. The document is built in your browser's memory and downloaded directly to your device. It is never uploaded to our servers or any external service. The same applies to the print function, which uses your browser's native print capability.

Why don't you collect data for research purposes?

Aggregated assessment data could be valuable for understanding the cybersecurity posture of Canadian small businesses. However, collecting this data would require us to transmit and store your responses — creating exactly the kind of data store that we believe a cybersecurity assessment tool should avoid. We prioritize your privacy over our ability to generate research insights.

Is the assessment really free? What's the business model?

The assessment is genuinely free with no strings attached. Cybersecurity Canada is operated by Cyber Unit Security Inc., a Canadian cybersecurity company. The assessment and educational resources on this site are provided as a public benefit to help Canadian businesses improve their security posture. There is no upsell within the assessment, no gated content, and no required follow-up.