Enterprise DSAR Guide

How to process a DSAR
with SafeRedact

From exporting data out of Purview or Outlook to delivering a fully redacted package to the data subject.

What is a DSAR?

A data subject access request (DSAR) is a formal request by an individual to receive a copy of the personal data an organisation holds about them, along with information on how it's used. Under UK GDPR and EU GDPR, you have one calendar month to respond. Under CCPA/CPRA, the deadline is 45 days (extendable by a further 45).

Before disclosing documents, you must redact all personal information belonging to third parties — colleagues, customers, or other individuals who appear in the data but are not the requester. This is the step SafeRedact Enterprise automates.

UK GDPR
1 calendar month from receipt of request. Extendable by 2 months for complex or numerous requests (with notification). No fee permitted in most cases.
CCPA / CPRA
45 days from receipt of verifiable consumer request. Extendable by 45 additional days with prior notice. No fee in most circumstances.

Step 1 — Export the data

SafeRedact processes individual files. Your first task is to export the relevant data from whatever system holds it — email, HR platform, CRM — into a format SafeRedact can consume.

Exporting from Microsoft Purview (recommended)

In the Purview compliance portal, create an eDiscovery case, run a content search scoped to the data subject, and export as individual MSG files (not PST). Export as a flat ZIP where possible.

Note on PST files: Re-export from Purview as individual files. Alternatively, open the PST in Outlook, select all messages, and drag to a folder on your desktop — Outlook saves each as an individual MSG. SafeRedact cannot process PST containers directly.

Other sources

SourceExport formatNotes
Outlook (desktop)MSG files via drag-to-folderPreserves full message metadata
Gmail / Google WorkspaceEML via Google TakeoutDownload per-account or per-OU
HR / payroll systemsPDF, DOCX, XLSX exportsExport per employee record type
SlackHTML or JSON exportEnterprise Grid supports per-user DM export
SharePoint / OneDriveDownload as filesInclude all versions if requested

Step 2 — Create a batch in SafeRedact

1
Sign in at saferedact.app/enterprise/app and start a new DSAR job.
2
Enter the data subject's details — name (first + last), email addresses (work and personal), phone number(s), NI number, employee ID, date of birth, and postal address. The more fields you provide, the more precisely the tool distinguishes the subject from third parties.
3
Upload files — drag a ZIP file or select individual documents. For large exports (20,000+ files), process in batches of ~1,000 files. The checkpoint system saves progress between sessions.
4
Start processing — the tool runs three concurrent workers, each processing one file at a time through the detection pipeline. Approximately 1,000 files per 10–15 minutes depending on content complexity.

Step 3 — Review detections

After processing, every file is displayed in the review panel with detected PII highlighted in context. You can accept detections, reject false positives, or manually select additional text for redaction.

The review step is the most important quality control mechanism. The AI typically catches 95%+ of PII — review handles the edge cases. Pay particular attention to documents where the subject shares a surname with a colleague, as the tool may preserve occurrences it cannot disambiguate.

Step 4 — Export

Export produces two outputs:

Redacted files

Each file with PII replaced by █ blocks. PDFs are flattened (image-based — no selectable text layer). DOCX and plain-text formats preserve original structure with redaction markers.

Audit report (CSV)

Lists every detection across all files — filename, PII type, redacted value, and confirmation status. Provides a defensible record for regulatory audit or legal challenge.

PII detection reference

PII typeExamples / patternsDetection method
Full namesFirst + last name combinationsAI classification
Email addressesAll formats and domainsRegex + AI
Phone numbersUK, EU, and international formatsRegex + AI
UK National InsuranceQQ 12 34 56 A and variantsRegex
Postal addressesStreet, city, postcode combinationsAI classification
Dates of birthDD/MM/YYYY and variantsAI classification
Bank detailsSort codes, account numbers, IBANsRegex + AI
Passport / ID numbersDocument reference numbersAI classification
Salary / compensationMonetary amounts in HR contextAI classification

What gets preserved

In DSAR mode, the data subject's information is preserved across all files. SafeRedact matches against all identity fields you provide — name, emails, phone numbers, NI number, date of birth, address, and employee ID. The more fields you provide, the more accurately the tool distinguishes the subject from third parties.

Handling shared surnames

If the data subject shares a surname with a colleague (e.g., subject "David Mitchell" and emergency contact "Sarah Mitchell"), SafeRedact uses smart matching: a multi-word name is only preserved if all words match the subject's name parts. "Sarah Mitchell" will be correctly redacted because "Sarah" is not a subject name part.

Frequently asked questions

Where are my files stored?
Nowhere. Your files never leave your browser. SafeRedact extracts text from each file client-side and sends only the extracted text to the detection API. The API has a zero-retention policy — text is processed and immediately discarded. No files, text, or detection results are stored on our servers.
What about the checkpoint system — doesn't that store data?
The checkpoint system uses your browser's IndexedDB (local storage on your machine). It stores detection results so you can resume processing across sessions. This data never leaves your device. You can clear it at any time using the "Clear saved progress" link.
What if the AI misses something?
The review step is designed for exactly this. Every detection is shown in context so you can verify before export. You can also select any text in the document and manually mark it for redaction. The AI typically catches 95%+ of PII — the review step handles the rest.
How long does processing take?
Approximately 1,000 files per 10–15 minutes depending on file sizes and content complexity. For a 20,000-item export, plan for 3–5 hours of processing spread across multiple batches. You can close the browser between batches — progress is saved locally.
Can multiple people work on the same DSAR job?
Not simultaneously — the checkpoint system is browser-local. One person processes and reviews. If you need to hand off, export the detection report CSV (which lists all detections across all files) and apply feedback in the tool.
What if my browser crashes mid-processing?
Re-upload the same files and click "Start Processing." The tool matches files by content hash and restores any previously completed detections from local storage. Only unprocessed files will be sent to the API.
Is SafeRedact ISO 27001 certified?
Certification is in progress (target Q3 2026). However, SafeRedact's architecture provides a smaller attack surface than most certified cloud tools: files never leave the browser, the detection API has zero data retention, and infrastructure partners (Anthropic, Vercel, and Supabase) are SOC 2 Type II certified.

Getting help

For technical questions or issues during your pilot, contact us at support@saferedact.app. We typically respond within one business day.

Ready to process your first DSAR?

Start with a 100-file pilot to validate detection accuracy on your actual file types.

Contact Sales Pilot Guide