Quick Verification Test (60 Seconds)
Before you use any CSV tool with sensitive data, run this test:
- Open Chrome DevTools — Press F12 (Windows/Linux) or Cmd+Option+I (Mac)
- Click the Network tab — then click the Clear button (🚫) to clear existing requests
- Upload a test CSV file — use a file with fake data for the test itself
- Filter by Fetch/XHR — click the "Fetch/XHR" filter button in the Network tab
- Look for POST requests — any POST request containing your file data means the tool uploaded it
If you see nothing after filtering: the file was processed locally. If you see a POST request with your file data: it was uploaded to a server.
Continue reading for the full walkthrough, the offline test, and how to interpret what you find.
Quick Answer
How do you verify a CSV tool is truly client-side?
Open Chrome DevTools (F12), go to the Network tab, clear existing requests, upload a test CSV file, then filter by Fetch/XHR. If you see a POST request containing your file data, the tool uploaded it to a server. If no such request appears, the file was processed locally. Confirm with the offline test: disconnect from WiFi and run a processing operation — if it completes, the tool is genuinely client-side.
Verification Decision Tree
Use this tree during any vendor evaluation. Each branch leads to a clear action.
Does the Network tab show a POST request containing your file data
after uploading a test CSV?
│
├─ YES → Tool is server-side
│ │
│ ├─ Does the vendor offer a signed DPA? (EU personal data)
│ │ ├─ YES → DPA signed → proceed with GDPR safeguards in place
│ │ └─ NO → Do not use for EU personal data (Art. 28 violation risk)
│ │
│ └─ Does the vendor offer a signed BAA? (PHI / HIPAA data)
│ ├─ YES → BAA signed → proceed with HIPAA safeguards
│ └─ NO → Do not use for patient data (HIPAA violation risk)
│
└─ NO → Run the offline test
│
├─ Processing completes offline?
│ ├─ YES → Tool is genuinely client-side ✅
│ │ (Confirm with Web Worker check for full confidence)
│ └─ NO → Tool requires server connection — re-examine Network tab
│ (May use async transmission or WebSocket — inspect further)
│
└─ Web Workers visible in DevTools Sources tab?
├─ YES → Strong evidence of local browser-based processing ✅
└─ NO → Tool may use main thread processing — not a red flag,
but verify with offline test to confirm no server dependency
TL;DR: "Privacy first" and "no data stored" are cheap claims. Chrome DevTools Network tab shows every network request a page makes — including file uploads. This 3-step test (Network tab, offline check, Web Worker verification) tells you in 60 seconds whether a CSV tool is genuinely client-side or is uploading your files behind a privacy-first label. We pass the test ourselves — here's how to run it.
Privacy claims are free. "Your data never leaves your device." "100% private." "Zero uploads." These phrases appear on dozens of CSV tool landing pages. Some of them are architecturally true. Some are marketing copy with no technical basis.
You are being asked to trust these claims before uploading customer records, financial data, or patient information. And most teams just do. The website looked credible. The reviews were good. Someone used it last week without incident.
There is a test that takes 60 seconds and requires no technical background. It uses a tool that comes built into every modern browser. It produces definitive, visual evidence — not an opinion about trust, but a log of every network request the tool made while processing your file. If the tool uploaded your file, you'll see the request. If it didn't, you'll see nothing.
This guide walks through that test in detail. Then it covers two additional checks — an offline test and a Web Worker verification — that between them give you complete confidence in a tool's processing architecture.
All DevTools steps in this guide were validated against the Chrome 122 DevTools documentation and tested directly on SplitForge tools, March 2026. Each test was run on Windows 11 with Chrome 122 and reproduced on macOS with Chrome 122 to confirm cross-platform consistency. The offline test and Web Worker verification steps were developed specifically for CSV privacy evaluation through our own internal tool review process.
Table of Contents
- What DevTools Shows You
- The Network Tab Test: Step by Step
- How to Read the Results
- The Offline Test
- The Web Worker Verification
- What to Do If a Tool Fails the Test
- Running the Test on SplitForge
- Additional Resources
- FAQ
This guide is for: Anyone who processes sensitive data in CSV tools and wants verifiable proof of the tool's privacy architecture before trusting it with real data.
What DevTools Shows You
Chrome DevTools is a set of developer tools built directly into the Chrome browser. No installation required. It includes a Network panel that logs every HTTP request the current page makes — every file loaded, every API call sent, every data upload transmitted.
When a CSV tool uploads your file to a server, that upload is an HTTP request. It appears in the Network panel with a POST method and a payload containing your file contents. You can see the request, the destination URL, and the data that was sent.
When a CSV tool processes your file locally in the browser — using the browser's File API and Web Worker threads — no HTTP request is made for the file contents. The Network panel stays quiet. Nothing is sent.
The DevTools Network tab is the most direct, unambiguous evidence available for whether a tool uploads files. It is more reliable than a privacy policy (which describes intent) and more definitive than a vendor's architecture diagram (which describes design). It shows you what actually happened.
The Network Tab Test: Step by Step
Use a file with fake or dummy data for this test. You are verifying the tool's architecture, not processing real sensitive data.
Step 1: Open Chrome DevTools
Press F12 on Windows or Linux. Press Cmd+Option+I on Mac. Alternatively, right-click anywhere on the page and select "Inspect" from the context menu.
DevTools will open, usually docked to the right or bottom of your browser window.
Step 2: Navigate to the Network Tab
Click the Network tab in the DevTools toolbar. It is one of the tabs across the top of the DevTools panel, typically between "Elements" and "Sources."
If the Network panel shows existing requests from page load, click the Clear button — it looks like a circle with a line through it (🚫) in the Network panel toolbar. You want to start from a clean log.
Step 3: Enable Preserve Log
Check the Preserve log checkbox in the Network panel toolbar. This prevents the log from being cleared if the page navigates or reloads during file processing. Some tools redirect or refresh after processing — without Preserve Log, the evidence disappears.
Step 4: Upload Your Test CSV File
Use the CSV tool's normal upload interface. Drag your test file in, or click the upload button. Do everything you would normally do to process a file in the tool.
Step 5: Filter by Fetch/XHR
Click the Fetch/XHR button in the Network panel filter row. This filters the log to show only API requests and file uploads — removing the noise of CSS files, images, and JavaScript that load as part of the page.
Step 6: Look for POST Requests
Examine the filtered request list. You are looking for:
- POST requests (visible in the "Method" column)
- Large payloads — file uploads are large; you may see the file size in the "Size" column
- Destination URLs that are not your local machine — any external domain in the "Name" or "Domain" column indicates server communication
To inspect any request in detail, click on it. The "Headers" tab shows the method and URL. The "Payload" tab shows the data that was sent — if your file contents are visible there, the file was uploaded.
How to Read the Results
No POST requests after filtering: the tool is client-side for this operation. Your file was processed locally. You can also verify this by checking whether any of the remaining requests in the filtered list contain data from your file — they should not.
One or more POST requests visible after filtering: click on each to inspect the payload. If the payload contains rows from your CSV, the file was uploaded. Note the destination domain — this tells you which server received your data.
POST request to the tool's own domain but with a small payload: this may be a legitimate server-side action unrelated to the file itself (e.g., logging an event, calling an API for a lookup). Check the payload size and contents. A file upload will have a payload size roughly equal to your file size.
No requests at all, not even after the file is processed: this can indicate client-side processing OR a tool that batches and sends data asynchronously after a delay. Run the offline test (next section) to confirm.
Network Request Reference Table
Use this table to quickly interpret what you see in the filtered Network tab. Save or screenshot it for future vendor evaluations.
| What You See in Network Tab | What It Means | Action |
|---|---|---|
| POST request with payload size ≈ your file size | File uploaded to server | Check DPA/BAA status before using for sensitive data |
| POST request to external domain with small payload (< 1KB) | Telemetry or analytics event — not a file upload | Inspect payload; likely not your file data |
| GET requests only after filtering | Tool is fetching resources, not transmitting your data | Likely client-side — confirm with offline test |
| No requests at all after filtering | Processing is purely local (no network calls) | Strong client-side signal — run offline test to confirm |
POST to /upload, /process, /api/file or similar | File processing route on external server | File is being processed server-side |
| WebSocket connection open during processing | Could be real-time server processing | Inspect WebSocket frames for file content |
| POST to analytics domain (e.g., Google, Mixpanel) after upload | Usage tracking — not file transmission | Normal; not a privacy concern for file contents |
Reading the payload: Click any POST request → open the Payload tab in the request details panel. If you see column names, email addresses, or row values from your test CSV, the file was transmitted. If the payload contains only event names, session tokens, or structured metadata, it is not a file upload.
The Offline Test
The offline test is faster and even more definitive for confirming local processing.
- Open the CSV tool in your browser
- Wait for the page to fully load
- Disconnect from the network — turn off WiFi, or pull the ethernet cable
- Attempt to process a CSV file through the tool's normal workflow
If the tool processes the file completely: it is genuinely client-side. All processing logic is already in your browser. It does not need a server connection to do its work.
If the tool fails, hangs, or throws an error: it requires a server connection for file processing. The file is being sent to a remote server.
Note: some client-side tools may have features that require a network connection — saving preferences, account authentication, or optional cloud features. The question is specifically whether file processing itself requires the connection. If the core processing completes offline, the tool is client-side for that operation.
Firefox users: The equivalent test in Firefox uses the Developer Tools Network Monitor. Open it with F12, select the Network tab, and filter by "XHR" requests. The logic is identical — any POST request containing your file data indicates server-side processing. Firefox's Network Monitor also shows request payloads when you click on individual requests.
The Web Worker Verification
Web Workers are the technical mechanism that allows browser-based tools to process large files without freezing the browser interface. A genuine client-side CSV tool will use a Web Worker for processing. You can verify this in DevTools.
- With DevTools open, click the Sources tab
- In the left panel, look for a section called Threads or expand the page's source tree
- A tool using Web Workers will show one or more worker threads active during file processing
Alternatively, go to the Application tab in DevTools and look for Service Workers in the left navigation. While Service Workers and Web Workers are different technologies, both appear in the Application panel and indicate that background processing is occurring within the browser.
The presence of Web Worker activity during file processing is strong evidence of a client-side architecture. It means the tool is using the browser's own multi-threading capability — not a server — to handle computation.
What to Do If a Tool Fails the Test
If the Network tab shows your file being uploaded to a server, you now have definitive evidence that the tool is not client-side for that operation. What you do next depends on what data you were planning to process.
For general business data (no PII): The tool is not privacy-first as claimed, but the risk may be acceptable depending on your data sensitivity and the tool's security posture. Review their privacy policy carefully.
For EU personal data: If the tool is a server-side processor and you do not have a signed Data Processing Agreement with them, you should not use it for EU personal data. See our GDPR Article 28 guide for the full analysis.
For PHI: If the tool is server-side and you do not have a signed Business Associate Agreement, do not use it for patient data under any circumstances. See our HIPAA and CSV files guide.
For any sensitive data: Document what you found. If the tool's marketing claims are inconsistent with its actual network behavior, that gap itself is relevant to your vendor evaluation.
Running the Test on SplitForge
SplitForge processes files entirely in your browser using Web Worker threads and the browser's File API. You can verify this yourself — we encourage it.
- Open any SplitForge tool (try the Data Masking tool)
- Open Chrome DevTools and navigate to the Network tab
- Clear existing requests and enable Preserve Log
- Upload a test CSV file and run a processing operation
- Filter by Fetch/XHR in the Network tab
What you will see: JavaScript asset loads, authentication requests if you are logged in, and analytics events — but no POST request containing your file data. The file processing itself produces no network traffic, because it occurs entirely in a Web Worker thread within your browser.
You can also disconnect from WiFi after page load and confirm that file processing continues. The processing logic is loaded as JavaScript and runs locally — it does not require a server connection.
We publish this test because we believe tool evaluation should be based on verifiable evidence. If you run it and find anything unexpected, contact us at [email protected].
Additional Resources
Browser Developer Tools Documentation:
- Chrome DevTools: Inspect Network Activity — Official Chrome documentation for the Network panel
- Chrome DevTools: Network Features Reference — Complete reference for filtering, inspecting, and analyzing network requests
Web APIs Used in Client-Side Processing:
- MDN: Web Workers API — How browser threading works; why Web Workers enable local processing
- MDN: File API — How browsers read local files without uploading them
Further Reading:
- SplitForge: How Browser CSV Processing Works — Technical architecture of client-side processing: Web Workers, File API, memory management