JASP is installed and run locally, which means that administrators retain full control of the access rights granted to JASP. JASP never uploads any data and does not use the “cloud”: all data stay on the user’s local system where it is also processed.
JASP releases are digitally signed on every supported platform. This ensures the integrity and origin of installers and executable files. On Windows, we enhance user security by sandboxing the R environment that handles data processing (from JASP 0.95.0 onward). By default, this sandbox has no access to files or the internet, greatly reducing vulnerability risks from R or its packages, including supply-chain attacks (see FAQ How does sandboxing help security? for more details).
As an open-source application, JASP’s source code is publicly available, allowing anyone to review and compile it independently. All proposed new JASP code undergoes code-review by our expert contributors, and existing code is subject to unit tests and manual testing prior to each release. JASP has been tested and reviewed positively by Softpedia. Our HECVAT is available here.