Methodology

Accounts and cloud sync

Monty & Co is local-first. Every tool — Beau-Tie, Project Risk Quantification, and Event Risk Exposure — works fully in your browser with no account, no sign-in, and no network round-trip. Your work is saved to the browser's localStorage as you go, and you can export it to a JSON file at any time. Signing in is optional, and it adds exactly one thing: your records follow you across devices.

This page explains how that works — how you sign in, where your data lives in each mode, what happens the first time you sign in with existing local work, and the security model that keeps your data yours.

Two modes: local and cloud

At any moment, each tool is operating in one of two storage modes. You can tell which from the small pill in the tool's header.

Local mode (signed out)

The default. Your current bow tie, register, or event-risk model is saved to localStorage in the browser you're using. It never leaves your device. There's no pill in the header because local-only isthe baseline — nothing to advertise. Close the tab, come back tomorrow, your work is still there. Switch to a different computer, though, and it's not — localStorage is per-browser, per-device.

Cloud mode (signed in)

Once you sign in, saves route to the cloud instead. A teal “Cloud” pill appears in the header to confirm it. Your record is written to a private, per-user row in the database, and any device you sign in from pulls the same record back. Edit on your laptop, open the tool on your desktop later, and you pick up where you left off.

Signing in: the magic link

Monty & Co uses magic-link sign-in. You enter your email, we send you a one-time link, you click it, and you're in. There is no password to choose, remember, reset, or have leaked in someone else's data breach.

The flow, step by step:

  1. On /sign-in, you enter your email and press Send magic link.
  2. We ask the authentication service to email you a sign-in link. The link contains a single-use code tied to the browser you started from.
  3. You open the email and click the link. It returns you to the app at /auth/callback, which exchanges the code for a session and then drops you back on the page you started from.
  4. Your session is stored in the browser and refreshed automatically, so you stay signed in across visits until you explicitly sign out.

Why magic links, and not passwords?

Passwords are a liability for a tool like this. They get reused across sites, they show up in breach dumps, and they push the security burden onto you. Magic links remove that entire surface: there's nothing to steal because there's nothing stored. For a tool you reach for when a risk assessment is due — not five times a day — the one extra click is a fair trade for never managing another password. Single sign-on (Google / Microsoft) and passkeys are on the roadmap for organisations that want them; passwords are not.

Your first sign-in with existing local work

If you've been using a tool signed out and then create an account, you'll have a record in both places: the one in your browser (local) and a fresh, empty cloud slot. Monty & Co never silently overwrites either. Instead, when it detects you have local work alongside a cloud record, a migration banner appears at the top of the tool with two explicit choices:

  • Promote local to cloud — copy your local record up to the cloud, replacing whatever was there. Use this when the local work is the version you care about.
  • Keep cloud (discard local) — leave the cloud record as-is and clear the local copy. Use this when the cloud already has what you want.

You can also dismiss the banner to decide later; it reappears next session while the local data is still around. The same choices — plus the ability to delete either copy outright — live permanently on your /account page under Your records, with one block per tool showing exactly what's in the cloud and what's on the current device.

What lives in your account

When you're signed in, three kinds of data sync to your private cloud space:

  • Records — one per tool: your current bow tie, your PRQ register, and your event-risk model.
  • Default risk matrix — the 5×5 matrix new bow ties and registers inherit. Edit it once and every device picks up the change.
  • Profile— your name, role, company, and industry. Your company name auto-fills into new records so you don't retype it. All optional.

The security model

Cloud storage is protected by row-level security at the database level. Every row carries the ID of the user who owns it, and the database enforces a single rule on every read and write: you can only ever touch rows where the owner is you. This isn't a filter the app applies and could forget — it's enforced by the database itself, underneath the application, on every query. Even if there were a bug in the app, the database would still refuse to hand one user another user's data.

Anonymous (signed-out) access to these tables is revoked entirely. The only credential the browser holds is a short-lived session token scoped to your account, refreshed automatically and cleared when you sign out.

Signing out

Sign out from the account chip in any tool's header, or from the /account page. Your session is cleared from the browser and the tools revert to local mode. Your cloud records stay safely in your account, waiting for the next time you sign in. Any record you'd been editing in cloud mode stays on screen — signing out doesn't wipe your working view, it just changes where the next save goes.