Trust & security
This page explains exactly what we do with your data, how it is protected, and where our current limits are.
Core security practices
Encryption at rest
Every piece of PII is encrypted before it is written to storage using envelope encryption. Each account gets its own data key; those keys are wrapped through Postgres pgcrypto. Your plaintext never sits on disk.
Data minimization
We only send the fields a broker explicitly requires. Every field sent is logged. Optional fields (anything beyond what is required) need your explicit per-use approval before we transmit them.
Crypto-shred on deletion
Account deletion destroys the per-account data key, making your PII permanently unrecoverable. A non-PII audit log (which removals were filed, when, with what result) is kept separately for integrity.
Authorized-agent model
We act only under a signed authorization (your Mandate). Without it, we touch nothing. The Mandate is the legal basis for every removal request we file. You can revoke it at any time.
How we handle your data
Here is the complete lifecycle of your personal information, from intake to deletion:
- 1
Collect the minimum
We ask only for the information needed to match your listings on broker sites: name variants, current and past addresses, and (for some brokers) a phone or email. Each field shows why it is needed before you enter it.
- 2
Encrypt before storing
Your PII is encrypted with envelope encryption before we write anything to the database. Plaintext is held in memory only long enough to complete the operation that needs it.
- 3
Send only what the broker requires
When we file a removal request, we decrypt only the fields that specific broker has declared as required. We log every field we transmit. If a broker asks for something optional, we surface that to you in the Action Center and wait for your per-use approval before sending.
- 4
Verify removal at the source
We wait the statutory window, then independently re-scan the original source. If your data is gone, we capture a before-and-after screenshot as evidence. We never mark something 'Verified removed' without this independent check.
- 5
Keep re-scanning
Brokers re-list people. Our scheduler runs periodic re-scans and restarts the removal cycle automatically when a regression is detected. Your audit log records every re-listing event.
- 6
Crypto-shred on account deletion
When you delete your account, we destroy the per-account encryption key. Your PII becomes permanently unrecoverable. The non-PII audit log (which brokers we contacted, when, with what result) is retained for integrity but contains no personal information.
Verification & proof
The status Verified removed is a technical constraint built into the removal workflow. It can only be set after an independent re-check of the original source confirms the listing is gone and a before-and-after screenshot pair has been saved. There is no override.
We use nine distinct status labels so you always know exactly where each removal stands. “Confirmed by site” is a different status from “Verified removed” and that distinction is enforced by the system.
Read the full breakdown of all nine status labels on our How it works page →
Compliance
We are not yet certified under SOC 2 Type II or ISO 27001. Both are on our roadmap. We say this plainly rather than imply a posture we have not been independently audited for.
In the meantime, we follow the practices these frameworks prescribe: encryption at rest and in transit, access control and least-privilege, audit logging, incident response procedures, and periodic internal review. When we complete an audit engagement, we will update this page with the result and report date.
If compliance certification is a requirement for your organization, Redacted is a consumer product and may not be the right fit today. We would rather you know this upfront.