Redline
Security and privacy Last reviewed 29 June 2026

Privileged material never leaves the device.

Redline reads, scores, and stores contracts entirely on the lawyer's own computer. This page sets out, in plain terms, what stays on the machine, the little that touches the network, and how you can confirm every word of it yourself. It is written for the person clearing a new tool through a security or procurement review.

On-device analysis AES-256 at rest Tamper-checked at launch Signed and notarized (macOS) Model runs offline No telemetry
The short version

What stays on the machine, and what leaves it.

A contract is read, scored, and kept on the device and is never uploaded. The only thing that travels over the network is a licence check. Here is the full inventory, both columns.

Stays on your computer

Every part of the work, held locally.

  • The contract files you open
  • Every extracted clause and its risk score
  • The language model that does the analysis
  • The local database, encrypted at rest
  • The append-only audit logs

Leaves your computer

The entire list, nothing omitted.

  • A one-time licence activation
  • A brief licence check when the app opens

Each request carries a licence ID, a computer ID (a machine identifier, not a person), and the app version, and goes to redlineclause.com over HTTPS. It never carries a contract, a clause, a file name, or any document content. There is no telemetry and no analytics on what you do inside the app.

One boundary, one arrow

The data-flow, drawn honestly.

YOUR COMPUTER · TRUST BOUNDARY Contracts and clauses Risk scores and notes Encrypted database On-device language model explains and scores clauses, no external model service carries: licence ID, computer ID, app version never: documents, clauses, file names redlineclause.com licence check only stays on the device leaves only on a licence check

One trust boundary, the device, and a single arrow for the only crossing Redline makes on its own. The licence service runs on servers outside South Africa and receives a licence ID, a computer ID, and the app version, and nothing from the document itself. Statute links you tap open in your own browser when you choose to, and are not shown here.

Confirm it yourself

Three ways to check the claim yourself.

The best assurance for a local-first tool is that you can confirm it with tools you already trust. We encourage you to run the test.

01

Watch the network

Run Little Snitch, a host firewall, or a packet capture, then open and analyse a contract. Nothing leaves the machine during the analysis. You will see local traffic on 127.0.0.1 between Redline and its on-device service, which never leaves the loopback interface, and the only request that leaves is the small licence check at launch.

02

Inspect the database

The local data file is encrypted. Run file ~/.redline/default.redline and it reports data, not a database; run strings over it and you get ciphertext, not clause text. The key never lives inside the application.

03

Pull the cable

Once Redline is open, disconnect from the network and keep working for the whole session. Reading, scoring, and the model all run with no connection. The only thing that needs the network is the brief licence check the next time you launch.

Where the data lives

On the device, encrypted at rest.

Encrypted at rest. Contract data is encrypted on disk with AES-256, via SQLCipher. The key is generated on the machine at first launch and held in a file readable only by your user account, stored alongside the data rather than inside the application. The key rests on the protection of your operating-system account, and, where full-disk encryption is on, FileVault on macOS or BitLocker on Windows, the data sits behind both layers.

A single-user store you control. The data lives by default in a folder in your home directory, ~/.redline, which you can move in settings. It is a single-user store on your own machine, so the only person who can reach it is the person at the keyboard.

The local service is closed to other software. Redline does its analysis in a small service that runs on the same computer, reachable only on the loopback address. It accepts requests only from Redline itself, gated by a fresh random secret minted at each launch, so another program on the machine cannot drive it, and it answers only to local addresses, which turns away attempts to reach it from a web page in a browser. In packaged builds the gate fails closed.

The model runs on your computer. The language model that explains and scores clauses is bundled inside the app and runs on the device. No prompt, clause, or answer is sent to any outside model service. There is no external model interface in the loop.

What touches the network

What the licence sends, and what it never does.

Redline reaches the network in exactly three situations, and you can account for all of them:

A one-time activation when the licence is first entered.
A brief check each time the app opens, which also lets a revoked or moved licence be picked up.
The SAFLII and Government Gazette links you tap to verify a statute citation, which open in your browser, when you choose to.

The activation and the per-launch check send a licence ID, a computer ID, and the app version to redlineclause.com, which runs on servers outside South Africa. They are HTTPS requests to that one host, so a firewall can allow them with a single rule. They never send a contract, a clause, a file name, or any document content. There is no telemetry, no analytics on what you do inside the app, and no content reporting.

Integrity and the record

A checked build and a tamper-evident log.

The build checks itself before it runs. On both macOS and Windows, Redline checks that its application package has not been altered before it starts, so a tampered copy refuses to launch. On macOS the build is additionally signed and notarized by Apple, so it opens cleanly. Native installers are provided for macOS on Apple Silicon and for Windows, and the Windows MSI deploys silently with msiexec /i Redline.msi /qn through Group Policy, Intune, or SCCM.

Append-only, tamper-evident logs. Redline keeps append-only logs of activity, both licence-lifecycle events and contract-level actions, in the user data directory. Each is sealed with a key created on that install, so a hand-edit of a log is detected the next time the app opens. The logs hold actors, event types, and timestamps, never contract content, and they can be exported as CSV for your firm's own records.

You control retention completely. Because the only copy of your data is on your computer, you own its whole life. Delete a contract in the app and it is gone from the store. Remove the data folder, or the app, and nothing remains. There is no server copy held by us to request the deletion of, and no backup we keep.

Claim and evidence

Every claim, and how you check it.

What we sayHow it worksHow you can check it
No document content is uploaded No internet traffic during analysis, only loopback to the on-device service Watch with Little Snitch, a firewall, or a packet capture; nothing leaves the machine
Encrypted at rest AES-256 via SQLCipher, key held only on your machine Run file ~/.redline/default.redline; it reports data, not clause text
The model is on the device The model is bundled in the app, with no external model service Disconnect from the network; explanations still work
The local service is closed to other software Binds to 127.0.0.1 only, needs the per-launch secret, refuses non-loopback hosts A request to 127.0.0.1:<port> without the secret returns 401
Only the licence touches the network One small HTTPS request to redlineclause.com at launch; statute links you tap open in your browser Watch the network at startup; it carries no document content
The app is not tampered with Integrity-checked at launch on both platforms, signed and notarized on macOS A modified copy refuses to start
What we deliberately don't have

No cloud, so several questionnaire items do not apply.

A standard vendor questionnaire is written for a service that holds your data on a server. Redline holds nothing, so we would rather name the gaps than imply otherwise. These absences follow from the architecture, not from a thin security program.

  • No sub-processors. No contract data is sent to anyone, so there is no third party processing it.
  • No cloud SOC 2 or ISO 27001 scope. There is no server of ours to audit.
  • No data-residency region. Your data lives on your own computer, under your own controls.
  • No data-processing agreement for contract content. We never receive it, so there is nothing for us to process on your behalf.
POPIA posture

Your firm stays the responsible party.

Because the review runs on the device and no contract is sent to us, using Redline does not introduce us as an additional operator (POPIA s1) into your processing, and your firm remains the responsible party that determines the purpose and means of processing (POPIA s1). The contracts, and the personal information in them, stay on your computer, so analysing them does not involve a trans-border flow of that data under POPIA s72.

The only traffic that crosses a border is the licence check. It carries no contract content, only the minimal licence and computer identifiers you provide when you take up the licence, used solely to run it. So no contract, and none of the personal information inside it, ever crosses a border under POPIA s72.

POPIA places the security duty on you as the responsible party (s19): appropriate, reasonable technical and organisational measures to protect personal information. Redline is built to support that duty, since on-device processing and encryption at rest keep the data under your control. Because we never process your contract data on your behalf, the operator-contract requirements in POPIA s20 and s21 are not triggered by your use of it.

The Information Regulator is the authority that enforces POPIA. This page describes how Redline handles data. It is not legal advice and not a certification of POPIA compliance, which depends on how your firm processes personal information overall, not on any one tool. Responsibility for compliance, including your own assessment under s19, stays with your firm. Statute references here are paraphrased, frozen at the release, and should be checked against the Government Gazette or SAFLII before you rely on them.

Common questions

Answers for the reviewer and the reader.

Does Redline upload our contracts anywhere?

No. Contracts are read, scored, and stored entirely on the lawyer's own computer. No document is sent to a server, and there is no cloud copy to manage or delete. The only network traffic is a licence check, which carries no contract content.

What exactly leaves my computer?

Only a one-time licence activation and a brief licence check when the app opens. Each request carries a licence ID, a computer ID, and the app version. It never carries a contract, a clause, a file name, or any document content.

Does the model send our clauses to an outside service?

No. The language model that explains and scores clauses is bundled inside the app and runs on the device. No prompt, clause, or answer is sent to any external model service.

Is the data encrypted?

Yes. Contract data is encrypted at rest with AES-256 via SQLCipher. The key is generated on the machine at first launch and held in a file readable only by your user account, stored alongside the data rather than inside the application.

Can I use Redline offline?

Yes. Once the app is open you can disconnect and keep working for the whole session, since reading, scoring, and the model all run with no connection. The brief licence check runs the next time you launch, so a machine kept offline across many launches will eventually need to reconnect.

What happens to our data if we stop using Redline?

You hold the only copy. Delete a contract in the app and it is gone from the store. Remove the data folder, or the app, and nothing remains. There is no server copy held by us to request the deletion of.

Is Redline POPIA compliant?

Redline is built to support your obligations under POPIA, but no tool is a certification of compliance, which depends on how your firm processes personal information overall. Because the review runs on the device and no contract is sent to us, Redline does not become an operator and your firm remains the responsible party.

Ask us for a closer look.

If you are clearing Redline through security or procurement, write to us. We are happy to walk a reviewer through the data flow on a call, including watching the network during a live review so you can see that nothing but the licence check leaves the machine, and to send a short security overview for your file.