Compliance

Compliant by Architecture

Most tools try to become compliant through policies and controls. PDF Redaction is compliant by design — your data never reaches our servers, so most regulatory obligations simply don't apply.

Our Approach

Documents processed in your browser

Zero data transmitted to our servers

No DPA / BAA required

No sub-processors to audit

No cross-border data transfers

User deletes own data from browser

Traditional Cloud Tools

✕Documents uploaded to cloud servers

✕Data processed on vendor infrastructure

✕DPA / BAA negotiations required

✕Sub-processor chain to manage

✕International transfer safeguards needed

✕Account deletion request to vendor

Framework-by-Framework Compliance

Detailed compliance mapping for every major privacy and security regulation.

GDPR

General Data Protection Regulation

EU / EEA

PDF Redaction satisfies GDPR by design. Since documents never leave the user's browser, there is no data processor relationship, no cross-border transfer, and no sub-processor chain.

Data minimization (Art. 5)

Only processes data the user explicitly provides; no data collection or retention on our servers.

Data protection by design (Art. 25)

Zero-server architecture is privacy-by-design at the infrastructure level.

Data processor agreement (Art. 28)

Not required — we never process your personal data. No DPA needed.

International transfers (Art. 44-49)

No data crosses borders. All processing occurs on the user's device.

Breach notification (Art. 33-34)

No server-side data means no server-side breach risk.

Right to erasure (Art. 17)

Users delete their own data directly from the browser. No request needed.

HIPAA

Health Insurance Portability and Accountability Act

United States

PDF Redaction detects all 18 HIPAA-protected identifiers and processes PHI entirely in the browser. No BAA is required because PHI never reaches our infrastructure.

PHI safeguards (§164.312)

All PHI processing uses browser-native encryption (AES-256-GCM) and isolated Web Workers.

Business Associate Agreement

Not required — we never access, store, or transmit PHI. We are not a Business Associate.

Minimum necessary standard

50+ entity types allow selective redaction to disclose only what's needed.

Audit controls (§164.312(b))

Redaction certificates and processing logs stored locally for audit trails.

Breach notification rule

No server-side PHI storage means zero risk of server-side breach.

De-identification (Safe Harbor)

Detects and redacts all 18 HIPAA identifiers for Safe Harbor compliance.

CCPA / CPRA

California Consumer Privacy Act / California Privacy Rights Act

California, USA

PDF Redaction does not collect, sell, or share personal information. Processing happens on-device, and users control all data deletion through their browser.

Right to know / access

No PI collected on our servers. Browser-side data is directly accessible to the user.

Right to delete

Users clear their data via browser settings or the dashboard — no request to us needed.

Right to opt-out of sale

We never sell personal information. No data is transmitted to third parties.

Data minimization

Zero server-side collection. Only account credentials stored for login.

Service provider obligations

We do not meet the definition of a "service provider" for document data — we never receive it.

GLBA

Gramm-Leach-Bliley Act

United States (Financial)

Financial institutions can use PDF Redaction without adding us to their vendor risk management program for data processing — because we never process their customer data.

Safeguards Rule (§314)

Customer financial data stays on the institution's devices. No external processing.

Privacy notices

No NPI disclosure to us. Privacy notice obligations between institution and customers are unaffected.

Vendor management

Simplified vendor assessment — we never handle NPI and are not a "service provider" for financial data.

Information security program

Complements existing ISP by keeping document processing within the institution's security perimeter.

PCI DSS

Payment Card Industry Data Security Standard

Global

Credit card data detected in documents is redacted entirely within the browser. No cardholder data is transmitted, stored, or processed on our servers.

Protect stored data (Req. 3)

Cardholder data is never stored on our infrastructure. Processing is local only.

Encrypt transmission (Req. 4)

No transmission of cardholder data occurs. Zero network requests during processing.

Access control (Req. 7)

Only the user on their device has access to document content during processing.

Network monitoring (Req. 10)

No network traffic to monitor for cardholder data — it never leaves the browser.

SOX

Sarbanes-Oxley Act

United States

PDF Redaction supports SOX compliance by allowing organizations to redact financial documents locally before sharing, with local audit trails for redaction activity.

Internal controls (§302/404)

Redaction processing within the organization's environment supports internal control frameworks.

Document retention

Redacted documents and certificates stored locally within the organization's retention policies.

Audit trail

Processing logs and redaction certificates provide verifiable audit trails.

Additional Framework Support

Our zero-server architecture simplifies compliance across all major global privacy frameworks.

UK GDPR

United Kingdom

PIPEDA

Canada

LGPD

Brazil

POPIA

South Africa

PDPA

Singapore / Thailand

APPI

Japan

Privacy Act

Australia

FERPA

US Education

FOIA

US Public Records

COPPA

US Children

HITECH

US Health IT

NAIC Model Laws

US Insurance

Compliance FAQ

Do I need a Data Processing Agreement (DPA)?

No. Since PDF Redaction never accesses, processes, or stores your document data on our servers, we are not a data processor under GDPR or any equivalent framework. No DPA is required.

Do I need a Business Associate Agreement (BAA) for HIPAA?

No. We never access PHI. All document processing happens in your browser. We are not a Business Associate under HIPAA.

Does PDF Redaction transfer data internationally?

No. Document processing happens on the user's device in their jurisdiction. There are no international data transfers to assess.

What happens if there's a data breach on your end?

We don't have your document data, so a breach of our infrastructure cannot expose your documents. The only server-side data is account credentials (email, hashed password, subscription status).

How do I delete my data?

Processing history and document metadata are stored in your browser. Clear your browser data for our site, use the dashboard's "Clear All" function, or use private/incognito mode to leave no trace at all.

Can I use this in a regulated environment?

Yes. Our zero-server architecture means the tool operates within your security perimeter. It does not add a new data flow to your architecture — documents stay on the device.

Compliance Without Complexity

Start redacting documents with zero regulatory overhead.

Start Redacting View Security Architecture