Process, then forget.
We do the work your documents need, and nothing else. Files leave as soon as we're done. They never train a model along the way.
60-day data lifecycle
No model training
Open-source PDF engine
On this page
The promise
We do the work you've asked of your documents, then we forget them. Past 60 days, the only things we keep are aggregated, anonymised usage counts — for billing, and never traceable to a specific document.
This page explains exactly what that means, technically and in plain English.
How retention works
Two stages. The first runs as soon as a job finishes. The second runs on a clock.
Stage 1 — Immediate
When the job completes
We strip your processed PDF and its source bytes from our systems as soon as the job finishes — whether you fetched the result via webhook or direct download. Only the redaction metadata — job ID, page count, status, redaction coordinates — survives.
Stage 2 — 60 days
Detailed logs purged
After 60 days, we delete all detailed processing-job records. Aggregated, anonymised usage counts roll up into a monthly meter we keep for billing.
What we log (and don't)
✓ We log
Job ID · page count · processing duration · status · team ID · timestamp · redaction coordinates (so support can debug a job you flag)
✗ We never log
Filenames · document contents · OCR'd text · the text inside redacted regions · the uploader's identity
Without the job ID you hold, our logs can't be traced to a specific document.
No training, no human review
Your documents never train a model. No Redactr engineer reads your files.
When you raise a support ticket, you share the job IDs we should look at — that's the only time engineers touch a specific job.
Agents
Our suggest endpoints route to specialist agents — each one tuned for a single domain (DSAR redaction, UK medical records, UK business documents). Calls go through an EU cross-region Bedrock endpoint, so processing stays inside the EU. AWS doesn't store or use Bedrock inputs for training. Anthropic doesn't see or retain your prompts.
Bring your own storage
Need documents to stay inside your own infrastructure? Connect an S3-compatible bucket and we'll process direct from source. We read a transient working copy into memory for the processing window, write the result back to your storage, and discard our copy when the job ends — the source-of-truth file stays in your account.
Supported today: AWS S3, DigitalOcean Spaces, MinIO, Backblaze B2. Coming soon: Google Cloud Storage, Azure Blob, OneDrive, Dropbox.
Open source PDF engine
Our PDF service, pdf-core, is open source on GitHub. You can audit the code that opens, parses, and rewrites your documents. The community helps us catch bugs and improve security.
Encryption
TLS 1.2+ in transit. AES-256 at rest in RDS, ElastiCache, and S3 — the AWS defaults.
Subprocessors
A short list. Each is here because it's load-bearing for the product.
| Vendor | Purpose | Region |
|---|---|---|
| AWS | Infrastructure (ECS, RDS, S3, ElastiCache) | eu-west-1 |
| AWS Bedrock (Anthropic) | Suggestion agents | EU (cross-region) |
| Stripe | Billing | EU / US |
| WorkOS | Authentication & MFA | USA (SCCs) |
| Chatwoot | Customer support chat | EU |
| Brevo | Marketing emails | EU |
UK GDPR & jurisdiction
Redactr Platforms Ltd is registered in England and Wales (company number 17022943). We operate under the UK GDPR and the Data Protection Act 2018.
Our standard Data Processing Agreement is published at redactr.io/dpa. Email inbox@redactr.io if you need bespoke terms.
Full legal terms live in our Privacy Policy, Terms, and DPA.
FAQ
Can your engineers see my documents?
We strip source documents and processed PDFs from our systems as soon as the job completes (Stage 1). When you raise a support ticket, you share the job IDs we should look at — that's the only time engineers touch a specific job.
Do you use my data to train your models?
No. Our suggestion agents call AWS Bedrock, and AWS doesn't store or use Bedrock inputs to train models. Anthropic, the model provider, doesn't see or retain your prompts. We don't train internal models on your data either.
Where do you run?
AWS in eu-west-1 (Ireland) for our own infrastructure. Suggestion agents call Bedrock via an EU cross-region endpoint, so processing stays inside the EU but may run in regions other than eu-west-1.
Do you have SOC 2 / ISO 27001?
Not today. We operate an information security management system aligned to ISO/IEC 27001 principles, but haven't pursued formal certification. The controls on this page are what we operate by.
What happens if you have a data breach?
We notify affected customers without undue delay and in any event within 72 hours of becoming aware. The notification covers what we know about the nature of the breach, what data was affected, what we believe the likely consequences are, and what we are doing to contain and remediate it. The full commitment is in clause 8 of our DPA.
How do I get a Data Processing Agreement?
Our DPA is published at redactr.io/dpa — the canonical version both parties operate under. Email inbox@redactr.io if you need bespoke terms beyond what it covers.
See also
Step-by-step guides for redacting PDFs in the tools most people already have: