Zero-storage architecture

Original files never leave your browser

Only extracted text reaches our API — with a no-log header ensuring it's immediately discarded. No files stored. No AI training.

Files stay in browser

Document files are processed entirely client-side using JavaScript. Original files are never uploaded to any server.

No-log API calls

Extracted text sent with anthropic-no-log: true headers. Not retained, not trained on.

Zero server storage

Job audit metadata (file names, detection counts, timestamps) stored in Supabase for audit purposes only. Document content is never written to any database or disk. Audit metadata is retained for 12 months and deleted on request per DPA terms.

Data flow

Where your data goes

01
Browser

File selection & parsing

PDFs rendered via PDF.js. DOCX, XLSX, EML, MSG parsed client-side. No data leaves the browser.

02
Browser

Text extraction & inline regex

First-pass regex catches emails, phones, NI numbers, sort codes. All local.

03
In transit

AI detection API call

Extracted text — not the original file — sent over TLS 1.3 with anthropic-no-log: true headers.

04
In transit

Anthropic API (PII classification)

Claude classifies PII types and returns results. Per Anthropic's zero-retention API terms, text sent with no-log headers is not stored and not used for model training.

05
Browser

Detection results returned

Spans returned to browser. Document content never left. Results stored in IndexedDB locally.

06
Complete

Redacted output generated

Redacted file rendered client-side with █ blocks. Downloaded to your device. No copy stored anywhere.

Data boundary

What leaves your browser vs. what doesn't

Stays in your browser
Original document files
Rendered page images (PDFs)
Redacted output files
Detection checkpoint data (IndexedDB)
Data subject identity fields
Sent to detection API (text only)
Extracted plain text (not original files)
Sent with no-log & no-persist headers
Immediately discarded after classification
Not stored, not used for AI training
Transmitted over TLS 1.3

Sub-processors

Authorised sub-processors

All sub-processors maintain SOC 2 Type II certification. Controllers are notified of sub-processor changes per DPA terms. This list was last updated on 16 March 2026.

Anthropic (Claude API)
PII classification · SOC 2 Type II · San Francisco, USA

Receives extracted plain text only. Zero-retention API — text processed and immediately discarded. Not used for model training. Explicit anthropic-no-log: true headers on every request.

Vercel
Hosting & serverless compute · SOC 2 Type II · Global edge network

Serves static HTML/JS application and API endpoints. No document content is processed or stored by Vercel. Serverless functions act as a pass-through to Anthropic.

Supabase
Authentication & audit metadata · SOC 2 Type II · AWS eu-west-2 (London)

Stores user account data and job audit metadata (file names, detection counts, timestamps). No document content. Row-level security enforced. Data hosted in AWS eu-west-2.

Compliance

Regulatory posture

Built to support privacy regulations across jurisdictions.

EU GDPR / UK GDPR

Data processor under EU GDPR Article 28 and UK GDPR Article 28. Jurisdiction-specific DPAs available covering: lawful processing instructions, confidentiality obligations, sub-processor authorisation and notification, breach notification within 72 hours, data deletion upon termination, and audit rights. Download DPAs →

CCPA / CPRA

Service provider. Personal information processed solely for PII detection and redaction — never sold, shared for cross-context behavioral advertising, or repurposed.

SOC 2 certified partners

All infrastructure partners maintain SOC 2 Type II. Zero-storage architecture eliminates the need to secure document content at rest.

Information security policies

SafeRedact maintains 13 documented information security policies covering: access control, incident response, change management, vendor management, data classification, business continuity, cryptography, logging & monitoring, and privacy. Policy documents available on request.

Security hardening

All API endpoints enforce CORS origin restrictions, rate limiting, and input validation. Security headers deployed: Content-Security-Policy, X-Frame-Options DENY, X-Content-Type-Options nosniff, Strict-Transport-Security (HSTS with preload), Referrer-Policy strict-origin-when-cross-origin, and Permissions-Policy. XSS protection enforced on all user-facing inputs via output escaping. TLS 1.3 on all connections.

Data retention & deletion

Document content is never stored server-side. Job audit metadata (file names, detection counts, processing timestamps) is retained for up to 12 months for audit trail purposes. Controllers may request deletion of all associated metadata at any time by contacting enterprise@saferedact.app. Deletion is completed within 30 days of request.

Questions about our architecture?

We're happy to walk through our security model with your privacy or security team.

Contact Sales Enterprise Overview →