Security-first PDF redaction
Your documents are processed locally in your browser. Nothing is uploaded by default. Only cryptographic hashes are stored server-side for tamper-evident verification.
Client-side processing
Documents are processed in your browser using WebAssembly and local AI models
No file uploads
Your PDF files never leave your device. The optional Pro engine sends only extracted text, never files.
Tamper-evident exports
Ed25519 signatures and SHA-256 hashes verify redaction integrity
No upload by default - what stays local
When you open a document in RedactProof, everything happens inside your browser. The PDF is rendered, text is extracted, and PII detection runs locally - using pattern matching on every plan, and an on-device AI model on paid plans.
This means your document content is never transmitted over the network. There is no server-side processing of your files. The browser tab is the boundary.
Stays on your device
- Original PDF files
- Extracted text content
- Detection results
- Redacted output files
- AI model weights (cached in browser)
Sent to our servers (paid plans only)
- Cryptographic hash of the redacted file (SHA-256)
- Certificate metadata (timestamp, entity counts)
- Your email for certificate attribution
Hashes are one-way - the original content cannot be reconstructed from them.
Two detection engines, different trust models
RedactProof offers two levels of PII detection. Both include unlimited pattern-based recognition (emails, phone numbers, national insurance numbers, and more). The difference is how AI-powered detection works.
Fully on-device
AI detection runs entirely in your browser using a local ONNX model. No text is sent anywhere. Ideal when documents cannot leave your network under any circumstances.
- Zero network requests
- Works offline after first load
- Pattern + AI detection combined
Cloud-assisted (opt-in, text only)
An optional upgrade you choose to enable. Extracted text - not the PDF file - is sent to Cloudflare Workers AI for enhanced detection. Text is processed in memory, never persisted, and never used for model training.
- Only extracted text sent (not files)
- Processed in memory, not stored
- Cloudflare infrastructure (GDPR-compliant)
Processing may occur outside the UK/EEA via Cloudflare's global network. See our privacy policy for details on international transfers.
What is stored server-side and why
RedactProof stores the minimum data needed to operate the service. Document content is never stored on our servers.
| Data | Purpose | Retention |
|---|---|---|
| Email address | Account authentication and certificate attribution | Until account deletion |
| SHA-256 hash of redacted file | Tamper-evident verification - proves a document has not been modified | Until account deletion |
| Certificate metadata | Timestamp, entity counts, certificate ID for QR verification | Until account deletion |
| Subscription data | Plan tier, billing status (via Stripe) | Until account deletion |
Hashes are cryptographic one-way functions. The original document content cannot be reconstructed from a hash.
What this architecture prevents
Server-side data breach
If our servers were compromised, attackers would find hashes and metadata - not documents. There is no document content to exfiltrate.
Man-in-the-middle interception
Standard engine users transmit zero document data. Pro engine users transmit only extracted text, encrypted in transit via TLS.
Insider access
Our team cannot access your documents because we never receive them. Database access shows hashes, not content.
Redaction tampering
Ed25519 digital signatures and SHA-256 hashes on verification certificates detect any modification to redacted exports.
Permanent redaction via pixel-burn
RedactProof uses pixel-burn redaction rather than overlay-based redaction. Each page is rendered to a raster image, redaction boxes are burned into the pixels, and a new PDF is generated from the result.
This means the original text beneath a redaction is physically destroyed - it cannot be recovered by removing an annotation layer, copying text, or inspecting the PDF structure. The redaction is irreversible by design.
Learn more about the difference in our guide: Overlay vs pixel-burn redaction.
Frequently asked questions
Can I use RedactProof offline?
After the initial page load (which downloads the app and AI model), the standard detection engine works without an internet connection. You will need connectivity for certificate generation and the Pro Detection Engine.
Where is my data stored?
Document files stay in your browser and are never uploaded. Account data and certificate hashes are stored on Cloudflare's infrastructure. Pro Detection Engine text processing uses Cloudflare Workers AI, which may process data outside the UK/EEA. See our privacy policy for full details.
Is RedactProof suitable for GDPR-regulated documents?
RedactProof is designed with General Data Protection Regulation (GDPR) compliance in mind. Client-side processing means document content is not shared with us, which simplifies your data processing obligations. Verification certificates provide an auditable record of redaction for compliance purposes.
What happens if I delete my account?
All server-side data is permanently deleted, including your email, certificate records, and subscription data. Since we never store your documents, there are no files to delete on our end.
How does certificate verification work?
When you export a redacted document, RedactProof generates an Ed25519 digital signature and SHA-256 hash. Recipients can verify the document has not been tampered with by scanning the QR code on the certificate page, uploading the file, or entering the certificate ID. Learn more in our verification documentation.
Try it in your browser
No installation. No upload. Open a PDF and start redacting.