RedactProof RedactProof
Get started

Security-first PDF redaction

Your documents are processed locally in your browser. Nothing is uploaded by default. Only cryptographic hashes are stored server-side for tamper-evident verification.

Start free in the browser View plans

Client-side processing

Documents are processed in your browser using WebAssembly and local AI models

No file uploads

Your PDF files never leave your device. The optional Precision Engine sends only extracted text, never files.

Tamper-evident exports

Ed25519 signatures and SHA-256 hashes verify redaction integrity

No upload by default - what stays local

When you open a document in RedactProof, everything happens inside your browser. The PDF is rendered, text is extracted, and PII detection runs locally - using pattern matching on every plan, and an on-device AI model on paid plans.

This means your document content is never transmitted over the network. There is no server-side processing of your files. The browser tab is the boundary.

Stays on your device

  • Original PDF files
  • Extracted text content
  • Detection results
  • Redacted output files
  • AI model weights (cached in browser)

Sent to our servers (paid plans only)

  • Cryptographic hash of the redacted file (SHA-256)
  • Certificate metadata (timestamp, entity counts)
  • Your email for certificate attribution

Hashes are one-way - the original content cannot be reconstructed from them.

Two detection engines, different trust models

RedactProof offers two levels of PII detection. Both include unlimited pattern-based recognition (emails, phone numbers, Social Security numbers, and more). The difference is how AI-powered detection works.

Standard engine All paid plans

Fully on-device

AI detection runs entirely in your browser using a local AI model. No text is sent anywhere. Ideal when documents cannot leave your network under any circumstances.

  • Zero network requests
  • Works offline after first load
  • Pattern + AI detection combined
Precision Engine Pro & Team plans

Cloud-assisted (opt-in, text only)

An optional upgrade you choose to enable. Extracted text - not the PDF file - is routed through Cloudflare Workers AI for enhanced detection. Text is processed in memory, never persisted, and never used for model training.

  • Only extracted text sent (not files)
  • Processed in memory, not stored
  • Cloudflare infrastructure (data privacy-compliant)

See our privacy policy for details on data processing locations.

What is stored server-side and why

RedactProof stores the minimum data needed to operate the service. Document content is never stored on our servers.

Data Purpose Retention
Email address Account authentication and certificate attribution Until account deletion
SHA-256 hashes (original + redacted file) Tamper-evident verification - proves which document was redacted and that the output has not been modified since Until account deletion
Certificate metadata Timestamp, entity counts, certificate ID for QR verification Until account deletion
Subscription data Plan tier, billing status (via Stripe) Until account deletion

Hashes and encryption, explained

Two terms get conflated when people read "hash" - so it is worth being precise about what we do, and what we don't.

What a hash actually is

A hash is a short, fixed-length fingerprint of an entire file. Run the same file through SHA-256 and you always get the same 64-character string back. Change a single byte and the entire hash changes.

SHA-256 of redacted-2026-05-09.pdf
9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
  • Calculated once over the whole file - not over its contents continuously
  • One-way: you cannot reverse a hash back into the document
  • We store one hash for the original and one for the redacted output, so verification can prove a specific input produced a specific output and that neither has been altered since

A hash is not encryption. There is no key, nothing to decrypt - it is a fingerprint, not a locked box.

Encryption we do use

  • In transit: all traffic between your browser and our servers runs over TLS 1.3 (HTTPS). That covers account data, hash submission, and Precision Engine text.
  • At rest: the small amount of account data we hold (email, hashes, certificate metadata) sits in Cloudflare D1 and R2, both encrypted at rest by Cloudflare's infrastructure.

Why we don't offer end-to-end encryption

E2EE solves a specific problem: data passing through a server you would rather not trust. Our architecture removes that problem at the source - your document content never leaves your device, so there is nothing for end-to-end encryption to protect that on-device processing isn't already protecting more directly.

Put plainly: you cannot lose data we never receive.

What this architecture prevents

Server-side data breach

If our servers were compromised, attackers would find hashes and metadata - not documents. There is no document content to exfiltrate.

Man-in-the-middle interception

Standard engine users transmit zero document data. Precision Engine users transmit only extracted text, encrypted in transit via TLS.

Insider access

Our team cannot access your documents because we never receive them. Database access shows hashes, not content.

Redaction tampering

Ed25519 digital signatures and SHA-256 hashes on verification certificates detect any modification to redacted exports.

Permanent redaction via pixel-burn

RedactProof uses pixel-burn redaction rather than overlay-based redaction. Each page is rendered to a raster image, redaction boxes are burned into the pixels, and a new PDF is generated from the result.

This means the original text beneath a redaction is physically destroyed - it cannot be recovered by removing an annotation layer, copying text, or inspecting the PDF structure. The redaction is irreversible by design.

Learn more about the difference in our guide: Overlay vs pixel-burn redaction.

Frequently asked questions

Can I use RedactProof offline?

After the initial page load (which downloads the app and AI model), the standard detection engine works without an internet connection. You will need connectivity for certificate generation and the Precision Engine.

Where is my data stored?

Document files stay in your browser and are never uploaded. Account data and certificate hashes are stored on Cloudflare's infrastructure. Precision Engine text processing uses Cloudflare Workers AI. See our privacy policy for full details.

Is RedactProof suitable for data privacy-regulated documents?

RedactProof is designed with North American privacy laws (CCPA, PIPEDA, and state regulations) compliance in mind. Client-side processing means document content is not shared with us, which simplifies your data processing obligations. Verification certificates provide an auditable record of redaction for compliance purposes.

What happens if I delete my account?

All server-side data is permanently deleted, including your email, certificate records, and subscription data. Since we never store your documents, there are no files to delete on our end.

How does certificate verification work?

When you export a redacted document, RedactProof generates an Ed25519 digital signature and SHA-256 hash. Recipients can verify the document has not been tampered with by scanning the QR code on the certificate page, uploading the file, or entering the certificate ID. Learn more in our verification documentation.

Try it in your browser

No installation. No upload. Open a PDF and start redacting.

Start free Compare plans