Your data never leaves your building
Panel Studio runs on your server. No cloud accounts, no third party data processors, no external API calls unless you configure them. Everything is auditable, encrypted, and under your control.
Four commitments
Self Hosted
Single server deployment. No cloud dependency, no SaaS relay, no data leaving your network perimeter.
Source Available
BSL 1.1 licence. Read every line, audit every route, verify every claim. No black boxes.
Zero Third Party
No external data processing. Panel responses, persona data, and reasoning traces never leave your infrastructure.
UK Registered
Kronaxis Limited, registered in England and Wales. UK GDPR compliance as standard. No offshore data routing.
How Panel Studio protects your data
-
Encryption
Fernet symmetric encryption with
60 second TTLfor sensitive tokens. All secrets are encrypted at rest, decrypted only at point of use. - Password hashing scrypt key derivation function. Not SHA-256, not bcrypt. scrypt is memory hard, making brute force attacks orders of magnitude more expensive.
- Webhook signing HMAC SHA-256 with per subscription secrets. Every outbound webhook carries a cryptographic signature your systems can verify independently.
- API authentication API key header authentication with optional session based login and multi tenancy. Keys are generated per user and can be revoked at any time.
-
Transport
HTTPS with HSTS (
Strict-Transport-Security). All traffic is encrypted in transit. No plaintext fallback. - Database PostgreSQL with parameterised queries throughout. No string interpolation in any SQL statement. No ORM magic: every query is explicit and auditable.
-
Secrets management
Environment variable injection at container start. No hardcoded credentials in source code. Mandatory
TFS_DB_PASSWORDandFLASK_SECRET_KEYwith crash on missing values.
GDPR and data protection
Panel Studio generates synthetic personas. No real personal data is collected, stored, or processed during panel research. For your organisation's own data, we provide the following guarantees.
Data controller
Kronaxis Limited (company number 15072850), registered in England and Wales. You remain the data controller for any data you process through Panel Studio.
Lawful basis
Contractual performance for panel research services. Legitimate interests for usage analytics and platform improvement. No consent required for synthetic data generation.
Data subject rights
Access, rectification, erasure, and portability are supported for any real personal data held (account information, billing records). Exercisable via contact@kronaxis.co.uk.
Data retention
Configurable per deployment. You control how long panel responses, conversation data, and account records are retained. Default retention periods are listed below.
Cross border transfers
No cross border data transfer unless you configure it. Panel Studio runs on your server in your jurisdiction. LLM calls to external providers are optional and documented.
Audit trail
Immutable audit log records every user action, API call, and configuration change. Full traceability for compliance reviews and internal governance.
Default data retention periods
| Data type | Default retention | Configurable |
|---|---|---|
| Panel responses | Until panel deletion | Yes |
| News articles | 90 days | Yes |
| Visitor cookies | 2 years | Yes |
| Payment records | 7 years (PCI compliance) | No |
| Audit log entries | Indefinite | Yes |
| API usage logs | 90 days | Yes |
Review the code yourself
Panel Studio is source available under BSL 1.1. Read the licensing terms, inspect the codebase, and verify every security claim before you deploy.