Most online PDF editors process your files on their servers and may retain them for longer than you expect. This guide explains how to protect your documents and what end-to-end encryption actually means in practice.
Your documents are yours. Here is how we keep them that way.
When you upload a PDF to most online editing services, the file travels over the network to a remote server where the processing happens. Your document — which might contain a tax return, a medical report, a legal contract, or proprietary business data — is now sitting unencrypted on someone else's infrastructure.
The privacy risks in this model are significant and often underappreciated. First, the service provider can read your file. Their employees, automated systems, and third-party integrations all have potential access to the unencrypted content. This is not a theoretical risk — many free PDF tools are funded by the data they collect from user uploads, either directly or through advertising technology that analyses file content.
Second, the file is retained on the server for an indeterminate period. Some services claim to delete files after a few hours; others keep them for days or weeks. The policy is often buried in a terms of service document that nobody reads. In the event of a server breach during that retention window, your document is exposed.
Third, regulatory compliance becomes complicated. If you are handling documents subject to GDPR, HIPAA, or other data protection frameworks, uploading those documents to an unencrypted third-party service may create compliance obligations or outright violations — even if you are just editing a single field and downloading the result.
RedaktPDF takes a fundamentally different approach to document privacy. When you use the Secure PDF Editor, your file is encrypted in your browser before it leaves your device. The server receives only ciphertext — it never sees your document in readable form.
The encryption algorithm is AES-256-GCM, the same standard used by governments, financial institutions, and security-critical applications worldwide. AES-256 refers to the key length: 256 bits, which means there are 2256 possible keys. Brute-forcing a 256-bit key is computationally infeasible with any foreseeable hardware — the number of possible keys exceeds the estimated number of atoms in the observable universe.
The encryption key is derived from your password using PBKDF2 (Password-Based Key Derivation Function 2) with a high iteration count. This means even a moderate-length password produces a cryptographically strong key. Critically, this key derivation happens entirely in your browser using the Web Crypto API — the key is never transmitted to the server and is never stored outside your device.
This is what “zero-knowledge” means in practice: the server stores your encrypted file and some metadata (file size, expiry date, a hash of the wrapped key), but it has no ability to decrypt the content. Even if RedaktPDF's servers were fully compromised, an attacker would obtain only ciphertext that they cannot read. This is the architectural guarantee that distinguishes end-to-end encryption from ordinary HTTPS transport encryption, where the server decrypts your data in transit and processes it in plaintext.
All editing operations — adding text, annotating, redacting — happen within the encrypted session in your browser. When you download the finished PDF, it is decrypted locally and saved to your device. Nothing is ever stored unencrypted at any point in the workflow.
Redaction is not the same as covering text with a coloured box. True redaction removes both the visual representation of the text and the underlying text data from the PDF file itself. If you simply draw a black rectangle over a name or account number in a PDF, any recipient can select all text in the document, copy it, and read the “redacted” content in plain text. This is a well-documented failure mode that has caused significant data exposure incidents in legal and government contexts.
The Redact PDF tool applies permanent redactions that remove the underlying text data, not just paint over it. Select the area you want to redact, apply the redaction, and the text is gone from the PDF structure. The exported file contains a flat black fill with no recoverable text beneath it.
For use cases where you want to cover content without a conspicuous black mark — correcting a mistake, removing a draft watermark, or obscuring a minor detail — the PDF Whiteout Tool places a white fill over the selected area. This is appropriate when privacy is not the primary concern and the goal is simply to clean up the document's appearance.
When you combine true redaction with end-to-end encryption, you get the strongest available privacy posture for shared documents: sensitive content is removed at the file level before the document leaves the encrypted editing session, and the file itself was never accessible to the server in readable form. This is the appropriate workflow for legal discovery, FOIA responses, medical record sharing, and any context where document privacy has regulatory or legal implications.
One of the most overlooked privacy questions when using any online file service is: how long does my file stay on their servers? For most services, the honest answer is “longer than you think.” Files may persist in backups, caches, or cold storage long after the nominal deletion date shown in the UI.
RedaktPDF uses a clearly defined, tiered retention model with hard maximum limits. Anonymous users (no account) have their files automatically deleted after two hours. Free account holders get 24 hours. Pro subscribers retain files for 7 days, and Business subscribers for 30 days. After the TTL (time to live) expires, files are purged from storage — not soft-deleted, not archived, not moved to a different tier of storage. The deletion is permanent.
No files are ever stored permanently. RedaktPDF does not build a long-term repository of user documents. There is no “vault” feature, no indefinite cloud storage, and no mechanism that would cause a file to persist beyond its TTL. This is an intentional architectural decision — the shorter the retention window, the smaller the attack surface for any potential breach.
For anonymous users, the two-hour TTL is specifically designed to cover the typical use-case window: upload, edit, download. Once you have your edited file, the server copy is deleted automatically within two hours. You do not need to take any action, and you do not need to trust that a manual deletion was processed correctly — the TTL enforces it automatically.
End-to-end encryption is the right choice whenever the content of your document is sensitive and you are not comfortable with it being processed on a third-party server in plaintext. In practical terms, this covers a wide range of everyday document types.
Legal documents — contracts, NDAs, settlement agreements, court filings — often contain information that should not leave the parties involved. Medical records, insurance claims, and health-related PDFs fall under regulatory protection in most jurisdictions. Financial documents, including bank statements, tax returns, investment reports, and loan applications, are high-value targets for identity theft if intercepted or exposed.
Business confidentiality is another important use case. Product roadmaps, internal reports, salary data, acquisition documents, and strategic plans are the kind of content that could cause significant harm if they reached a competitor. The Secure PDF Editor ensures that even if you are using a shared network or a device you do not fully control, your documents are protected at the encryption layer.
For documents that are not sensitive — public reports, published brochures, marketing materials, open-source documentation — the standard anonymous editor is perfectly appropriate. You do not need encryption overhead when the content could be published on a website tomorrow. The right tool is the one that matches the sensitivity level of the document you are working with.
Redakt PDF
Permanently redact sensitive text and images from PDFs online. GDPR-compliant. Files are end-to-end encrypted for registered users. No software to install.
PDF Whiteout
Cover text or images in a PDF with whiteout boxes online free. Choose any fill color for redaction or correction. Files deleted after 2 hours. No sign-up.
Secure Editor
Edit PDFs with AES-256 end-to-end encryption. Encrypted before upload — servers never see plaintext. Passkey and MFA supported. Zero-knowledge architecture.
Create a free account to manage your PDFs with end-to-end encryption.