Measure Killer Measure Killer
Trust Center

Built for IT review. Designed to stay out of your way.

Your data does not leave your machine. Scans read metadata only — and write back to a model solely when you choose to remove unused fields. Documentation below for your security team.

No data leaves your machine

Measure Killer Free runs entirely on your desktop. Your .pbix files, models, and DAX never leave your device — there is no telemetry of model contents.

Read-only by default

Tenant scans read Power BI / Fabric metadata in read-only mode — Measure Killer never changes your models on its own. The one exception is opt-in cleanup: when you choose to remove unused columns and measures, that change is written back over the XMLA endpoint. On an Enterprise license it needs Workspace Contributor plus XMLA Read/Write; on a Limited license it works only in the tool's admin modes, for tenant administrators.

Metadata-only interaction

Measure Killer only ever reads metadata — the names and definitions of tables, columns, measures, and reports, plus usage statistics. It never queries, processes, or pulls the actual data inside your models; the values in your tables are never read.

Customer-controlled

Enterprise scan results are stored on infrastructure you control. You configure retention, access, and export policies. We do not retain copies.

Doesn't online mode connect to the cloud?

Yes — but only to read metadata. Online and tenant scans sign in as you and pull metadata down from your own Power BI and Fabric APIs — never the actual data inside your models; the values in your tables are never read. The one thing ever written back is opt-in cleanup: if you choose to remove unused columns or measures, Measure Killer writes that change over XMLA to your own model — still your own Microsoft tenant, still metadata. Nothing is sent to Brunner BI or any third party except the license check (product version, username, license key, IP) — nothing about your models. Analysis runs locally, and scan results stay on infrastructure you control.

Need the full detail? The security whitepaper documents every connection, endpoint, and data-handling decision for your security team.

Architecture overview

How the desktop app connects to external services — what leaves your machine and what stays local.

USER'S MACHINE (WINDOWS DESKTOP) Measure Killer Desktop App Python 3.11 Analysis engine Qt 6.7 UI framework SQLite3 Activity logs (local) Local file analysis — .pbix · .rdl · .xlsx (Analyze in Excel) Metadata only: names, DAX expressions, model structure All analysis runs on-device · file contents are never transmitted Local Analysis Services Power BI Desktop / SSAS Mode 1: Single model Mode 2: Shared model on local machine No internet required (offline) XMLA LICENSE VERIFICATION On startup · HTTPS/TLS encrypted ● Primary (v2.9.3+) MK License API (Azure) Azure App Service · HTTPS :443 POST: version · username · license key · public IP ◌ Legacy (optional) Azure Event Hub *.servicebus.windows.net · AMQP/TLS :5671/:443 ◌ Optional License Blacklist measurekiller.com → raw.githubusercontent.com Public IP lookup · ifconfig.me (optional) Used in license payload only · graceful fallback MICROSOFT CLOUD Online modes 3–5 · OAuth2 · Read + opt-in write · HTTPS :443 Microsoft Identity (OAuth2 browser login) Power BI REST API api.powerbi.com Datasets, Reports, Admin Fabric REST API api.fabric.microsoft.com Items, Domains, Operations XMLA Endpoint (ADOMD) Power BI Premium / Fabric · HTTPS :443 Metadata only · read by default · writes back only on opt-in cleanup Scan results stored on your infrastructure, not at Brunner BI Access token in request headers · analysis runs locally after fetch AUXILIARY (ALL OPTIONAL) Blocked = graceful fallback · no Power BI data Date / Time (license check) postman-echo.com (primary · HTTPS :443) ↓ time.windows.com (NTP :123) ↓ pool.ntp.org · microsoft.com · cloudfare.com Version Check measurekiller.com HTTPS :443 Startup Message brunner.bi HTTPS :443 No Power BI metadata transmitted via these endpoints Primary license check still required on startup App functions offline if all optional connections blocked LEGEND Required connection (HTTPS/TLS) Optional — graceful fallback if blocked Bidirectional (local XMLA) Green Local · data never leaves machine Blue Microsoft infrastructure · OAuth2 + REST/XMLA Yellow Auxiliary · all optional · no Power BI data Teal Brunner BI license server · minimal metadata only (no Power BI data)

Documents

Everything your security team needs to review Measure Killer.

Security whitepaper →
Architecture, threat model, and data-handling details for IT review.
Privacy notice →
What we collect, what we don't.
DPA template Coming soon
Data Processing Addendum for EU/UK customers.
Sub-processor list Coming soon
Third-party services involved in delivering paid editions.

Compliance

Where we are today, and what we're working toward.

GDPR
Aligned
ISO 27001
In progress
SOC 2
Roadmap

Need something specific for your security review? Contact us and we'll respond within one business day.