Cloud & AI for regulated companies — from the team behind Redactor. · See the full portfolio →
Security & transparency

Don't trust us. Inspect the design.

Redactor Desk's security claim is structural, not political: the agent's tool surface cannot lead out unsanitized. This page explains how that's built and where the honest limits are. It's written by our developers — not a third-party audit (an independent audit is on the roadmap).

The core invariant

Two sentences everything hangs on.

  • Everything that enters model context — file contents, search results, your own message — passes sanitize() first.
  • Everything the model emits — chat text, written file contents, edits — passes restoration before it is displayed or written to disk.

Why the surface can't leak

A single choke point

Detection and tokenization run exclusively locally. There is exactly one place where text becomes model input — and it redacts.

No shell, no built-ins

The agent has no shell access and no built-in tools. Only five file operations are allowed, each through the redaction layer. No channel bypasses it.

Edits in sanitized space

The model edits the sanitized view; real values are re-inserted locally just before the file is written. A hash guard rejects stale edits.

Fail closed

Where a category is set to "block" (Enterprise policy), the sanitizer returns nothing rather than risk letting something through.

Your data

  • The Anthropic key is stored encrypted via the OS keychain (Keychain/DPAPI), never in plaintext.
  • The placeholder → real-value mapping lives in a local vault on your machine. None of it leaves the device.
  • The evidence log (Enterprise, optional) is hash-chained and holds only categories and counts — never the values.
  • A backup is written before every file change; every change is reversible.

Honest limitations

  • Detection is deterministic and heuristic. What isn't detected isn't replaced — we promise no hit-rate numbers without an independent benchmark.
  • "Fully offline" applies to detection and tokenization. The client itself talks to the Anthropic API.
  • Regulatory wording is deliberately "supports", never "meets".
On the roadmap: a local egress guard that proves no vault value is in a request body before sending; vault encryption at rest; and an independent audit. Once the report is in, we publish it here.

Report a vulnerability

Found something? Please report it privately and give us reasonable time to fix it before going public. Please no real secrets in your report.