DocuPipe Redaction
Automated redaction, deployedon your terms
Pixel-perfect redaction that runs where your documents must stay - in our SOC 2 certified cloud, in your own cloud account, or on machines you own, air gap included.
DocuPipe cloud
Your cloud account
Your own hardware
SOC 2 · ISO 27001 · HIPAA · BAA available
Policy in plain language
Redact by policy, not by keyword.
Real redaction policies are more precise than "find all names." One role may be protected while another stays public; one number may be sensitive while another is just a reference. DocuPipe takes the policy the way you'd say it out loud, reads the context on the page, and applies one set of rules to every document in the queue.
"Redact customer names. Keep staff names."
"Redact private people. Keep public officials."
"Redact account numbers. Keep invoice numbers."
Role-aware detection
The same name can be protected in one role and public in another. Detection reads who each name belongs to - patient or provider, witness or officer - and redacts by role, not by string.
Lookalikes, told apart
A nine-digit number might be an SSN, a phone number, or an account number. Detection reads the label and the sentence around it, so the right numbers go black and the rest stay legible.
Handwriting included
Margin notes, signatures, handwritten intake forms - the OCR layer reads handwriting, so a scrawled phone number gets the same treatment as a typed one.
The review room
Fully automated. Human reviewable.
Anyone who has redacted by hand knows the feeling: the file is out the door, and you're still wondering whether you caught every instance. DocuPipe does the reading at scale - and your reviewers step in exactly as much as the release demands. Approve every box on a court filing, spot-check a trusted feed, or let clean documents flow straight through. The demo above is the real review room - approve a box, reject one, draw your own.
claim-file-0042.pdf
12 proposed · 1 added · 1 rejected
added by reviewer
Proposed redactions
541-72-6688
SSN
Margaret A. Whitfield
Name
(503) 555-0142
Phone
handwritten note, p.2
Added by reviewer
Drag on the page to add your own.
Approve or reject every box
Each proposal carries its category, confidence, and the original text. Clear a page item by item, or approve it all at once.
Add your own
Drag across anything detection didn't flag. Boxes snap to the words underneath, so hand-drawn redactions come out as clean as proposed ones.
Prompt it to do better
Rules are plain sentences: "redact patient names, keep the treating physician's." Adjust the instructions and re-run until the proposals match your policy.
One policy for the whole queue
Categories and instructions apply across every document in a workflow - the same rules govern file one and file ten thousand.
Preview the release copy
Flip every box to solid black and see exactly what leaves the building - before it does.
Nothing under the box
The download is a newly built, image-only PDF. Black is painted into the page pixels, the text layer is stripped, and hidden document internals never make it into the release copy. Nothing under a box can be copied, searched, or scraped back out - and the original file never changes.
Deployment
Runs wherever your documents reside
The documents being redacted are, by definition, the most sensitive ones your organization holds. For many hospital systems, insurers, and public agencies the data-handling rule is simple: it does not cross our boundary. DocuPipe is the redaction platform built for that rule - pick the boundary, and the whole pipeline moves inside it.
Start today
DocuPipe cloud
No procurement cycle. SOC 2 and ISO 27001 certified, HIPAA compliant, BAAs on paid plans, data residency options in the US, Europe, Canada, or Australia - and documents are never used to train models.
Full containment
Your cloud account
The entire platform - API, OCR engine, models, workers, storage - installs into an AWS, Azure, or GCP account you own. Install is a single command, and it ends with a live end-to-end test. Nothing phones home.
No cloud at all
Your own hardware
The same stack runs on machines you own - a server room, a rack in your data center, an air-gapped network with no internet path. If your machines can run containers, they can run DocuPipe.
Same product in all three - the review screen in the demo above is exactly what your team gets inside your boundary, from a SOC 2 and ISO 27001 certified vendor.
Beyond one file
Runs at any scale
API-first
Generate, review, and download redactions programmatically - wire it into the systems your records already move through.
Built for volume
Redaction is one capability of a document pipeline that classifies, splits, and extracts at scale - point it at the queue, not the file.
Rules in plain language
"Redact everyone's SSN except the primary applicant's." No regex, no templates, no per-form setup - the rule you can say is the rule it applies.
Multilingual, right to left included
Detection follows the language on the page, including right-to-left scripts - and the review room renders them correctly.
Three calls, start to finish
POST /document
upload the file
POST /document/{id}/redactions
{"guidelines": "also redact vehicle plate numbers"}
GET /redaction/{id}/download
the burned-in, flattened PDF
The same three calls in every deployment - our cloud, your cloud, or your rack.
Redact for all purposes
Teams with a mandate, not a one-off
The same categories and review flow, tuned to the release your team is on the hook for.
HIM / release of information
Producing records means telling the protected patient apart from the treating physician on the same page - plus other patients, family members, MRNs, DOBs, and member IDs in the margins.
FOIA and public records
Personal-privacy withholdings on responsive records: requester-adjacent names, home addresses, personal phone numbers, and identifiers - before anything hits the reading room.
DSAR and privacy teams
Producing one person's data means removing everyone else's. Third-party names and contact details are the default categories for a subject-access response.
Claims teams
Claim files shared with outside counsel, reinsurers, or vendors carry other claimants' details. Redact them by category before the file leaves the team.
Litigation and discovery
Produce responsive documents with personal identifiers removed - and a burned-in file you can stand behind, not a cosmetic box.
Before you bring this to security review
FAQ
Can it tell a protected name from a public one?
Yes. Policies are role-aware: redact the patient's name but keep the treating physician's, redact junior staff but not the agency head. Detection reads who each name belongs to on the page and applies the rule you wrote - the same rule, across the entire queue.
Is the text really removed, or just covered?
Removed. The redacted download is flattened - the masked regions are rendered out of the page image itself and the text layer is stripped, so nothing can be copied, searched, or scraped out from underneath.
Can it run with no internet connection at all?
Yes. Private deployments run entirely inside your network: your machines, your storage, no outbound calls. That includes air-gapped environments that never touch the public internet.
Does it work on scans, faxes, and photos?
Yes. Documents run through our OCR layer first, so detection lands on the exact word positions even in scanned files - the boxes sit on the pixels, not on a guess.
Does it read handwriting?
Yes. The OCR layer reads handwriting, so handwritten names, numbers, and margin notes are detected, reviewable, and burned exactly like typed text.
What does automated detection miss?
Anything automated can miss things. That is what the review room is for: approve every box when the release is high-stakes, spot-check when a flow has earned trust. Your reviewer makes the release call with the original text in front of them.
Can reviewers change what the AI proposed?
Yes. Approve or reject each box, add word-snapped boxes of your own by dragging on the page, and steer detection itself with plain-language instructions. Policies apply across the whole queue, not per file.
Does the original file change?
Never. The burned release copy is a separate, newly built file - the original stays untouched in storage.
How is it priced?
On usage, not per seat - your whole records team works in one workspace without per-user fees. Cloud plans are self-serve. Private deployments - your cloud account or your own hardware - are annual enterprise agreements; talk to sales and we'll scope it with you.
Do you sign BAAs? Where is the security documentation?
Yes - BAAs are executed on paid plans, and early in evaluation for serious prospects. SOC 2 and ISO 27001 reports are self-serve at trust.docupipe.ai.
Is there an audit trail?
Every processing action is logged as a job: what ran, when, on which document, and with what result. Your release history is reconstructable, not anecdotal.
Which languages does detection support?
Detection follows the language of the document, including right-to-left scripts. English and Hebrew carry the deepest policy tuning today - if your queue runs in another language, bring sample files to the evaluation and we'll run them live.
See it on your documents, in your environment
Tell us what you release, at what volume, and where it's allowed to run. We'll show you the same product you just tried - deployed your way.
Prefer to keep exploring? The free redactor stays free.