# Product data handling & architecture
### How Tableau extensions work
Tableau Extensions (`.trex` files) are web applications that run **inside Tableau dashboards** using Tableau’s Extensions API.
Key security characteristics:
* Extensions cannot access data unless Tableau explicitly provides it
* Tableau governs authentication and permissions
* Extensions operate within Tableau’s security boundaries
* Data access is scoped to the workbook and user permissions
This ensures extensions cannot bypass Tableau’s built-in security model.
***
### Product-level data processing
Not all Apps for Tableau store or process data externally.
| **Product** | **Stores Data** | **Type of Data (if any)** |
| ------------------ | --------------- | ------------------------------------------------- |
| SuperTables | No | – |
| PowerKPIs | No | – |
| ShowMeMore | No | – |
| DrillDownTree | No | – |
| EasyDesigns | No | – |
| HierarchyFilter | No | – |
| Marginal Histogram | No | – |
| PictureThis | No | – |
| ProcessMining | No | – |
| DashboardGuide | No | – |
| WriteBackExtreme | Yes | – |
| MailScheduler | Yes | Audit logs, mailing lists (incl. email addresses) |
| DashboardUsage | Yes | Fingerprints, user actions |
### Share vs Enterprise security model
#### Share (SaaS)
* Hosted in segregated Azure environments
* Infrastructure managed by Infotopics
* Security controls aligned with ISO standards
* Customers manage Tableau permissions only
#### Enterprise (Self-hosted)
* Hosted in customer-controlled infrastructure
* Customers manage OS, network, access, and backups
* Infotopics provides the application and documentation
Both models use the same application codebase and follow the same security principles.
***
### Environment isolation
For Share deployments:
* Each customer operates in a segregated environment
* No data is shared between customers
* Logical and operational isolation is enforced
