Security

Most tools ask you to trust them. promptShield is built so you don't have to — the privacy guarantee is something you can verify with your own eyes, offline, in under a minute.

Last reviewed: June 22, 2026

The core guarantee

Your documents are processed entirely on your own machine. Detection, redaction, encoding, and export all run on a local engine bound to 127.0.0.1 (loopback). No document content, detected value, or redacted output is ever transmitted to our servers, to us, or to any third party — there is no code path that uploads a document, because the feature does not exist.

Don't trust us — verify it

Because everything runs locally, our central privacy claim is demonstrable in front of a client, an auditor, or a CISO. No NDA, no architecture review, no leap of faith.

  1. Disconnect from the network. Open a document and run detection, redaction, encoding, and export. Everything still works — fully offline.
  2. Open a network monitor (Windows Resource Monitor, Wireshark, Little Snitch). Process a document end to end and filter by the app. 100% of traffic is 127.0.0.1 loopback; nothing leaves the machine.
  3. Run ExifTool on the exported file. The metadata is stripped — no author, no software trail, no hidden history.

What our servers actually see

We run a licensing server, and we are deliberate about what reaches it. For account and billing it sees exactly what it needs and nothing more; for your documents it sees nothing at all.

  • Account data — your email address, and (for paid plans) billing details processed by Stripe. We never store card numbers.
  • License data — a SHA-256 machine fingerprint used to enforce device limits, plus subscription state. No computer name, no document activity.
  • Anonymous usage counts — aggregate numbers (documents processed, file types, app version), opt-out in Settings → Privacy, never sent at all on air-gapped installs.
  • Document content — never. No file, no detected value, no redacted output, ever reaches our infrastructure.

How it's engineered

  • Local-only processing — the detection and redaction engine runs as a sidecar on loopback, reachable only by the desktop app on the same machine.
  • TLS everywhere — all licensing and account traffic is encrypted in transit.
  • Ed25519-signed licenses — license blobs are cryptographically signed and verified offline, so the app keeps working without a live server.
  • Hashed credentials — passwords are bcrypt-hashed; authentication runs through Firebase Auth.
  • Signed binaries — the Windows app and its components are Authenticode-signed, and updates are SHA-256 + signature verified before they install.
  • Scrubbed crash reports — error reports have personal data removed before transmission and never include document content.

Reporting a vulnerability

We welcome scrutiny from security researchers. If you believe you've found a vulnerability, email us and we'll work with you to confirm and address it. Please give us a reasonable window to remediate before any public disclosure. Reach us at security@promptshield.ca.

Related