Your data is valuable. That is why Redactorr was designed from the ground up to never touch it.

Browser-Only Processing: Detection and redaction run in your browser. Optional Vault, sharing, and AI workflows use processed or reviewed redacted context when you choose.

When you paste sensitive text into Redactorr, original sensitive values stay local during detection and redaction.

What This Means:

• Original sensitive values stay local during detection and redaction
• Vault stores processed redaction sessions and safe summaries when you choose
• AI Assistant receives reviewed redacted context, not raw original document text
• Browser-local detection can work offline after first load

Redactorr uses multiple layers of security:

Browser Sandbox Modern browsers isolate web applications from your operating system. Processing happens inside a fully sandboxed environment — no access to your file system, network connections, or other browser tabs.

Content Security Policy (CSP) Strict CSP headers prevent code injection or unauthorised network requests. If something tries to send your data out, the browser blocks it.

Web Crypto API All cryptographic operations use the browser's built-in Web Crypto API — hardware-accelerated and continuously audited by security researchers.

Redactorr's browser-local detection and redaction boundary supports privacy and security review workflows:

Australian Privacy Act 1988 (APPs): Original sensitive values stay local during detection and redaction, which can support APP 11 security review workflows. This is not a legal compliance attestation.

PCI-DSS (Payment Card Industry): Card numbers are redacted locally during sanitisation, supporting PCI-DSS review workflows for cardholder data protection.

ASD Essential Eight: Redactorr supports your credential hygiene and data exposure controls. The ASD Essential Eight preset helps detect secrets and credentials before reviewed outputs move to later workflows.

ISO 27001 / ISMS: The client-side model reduces your information security attack surface and simplifies controls documentation.

Important Note: Redactorr helps you meet compliance requirements by keeping data local, but it is not itself certified. Your organisation's compliance programme still requires appropriate policies, access controls, and auditing.

When you choose to share content via Redactorr's secure sharing feature:

Even when sharing, the server only ever sees encrypted data. The decryption key lives in the URL fragment, which browsers never send to servers.

Redactorr uses minimal external services, all privacy-preserving:

Have I Been Pwned (HIBP) for Breach Checking: Uses k-anonymity — only hash prefixes are sent, never actual passwords or emails. Only the required hash prefix is transmitted for the breach check.

No Analytics Without Consent: Basic anonymised metrics are only collected if you opt in. No tracking pixels, no third-party analytics.

Redactorr's detection engine is open source. Security researchers, compliance officers, and developers can audit the code to verify our security claims.

Transparency means trust.