Privileged material never leaves the device.
Redline reads, scores, and stores contracts entirely on the lawyer's own computer. This page sets out, in plain terms, what stays on the machine, the little that touches the network, and how you can confirm every word of it yourself. It is written for the person clearing a new tool through a security or procurement review.
What stays on the machine, and what leaves it.
A contract is read, scored, and kept on the device and is never uploaded. The only thing that travels over the network is a licence check. Here is the full inventory, both columns.
Stays on your computer
Every part of the work, held locally.
- The contract files you open
- Every extracted clause and its risk score
- The language model that does the analysis
- The local database, encrypted at rest
- The append-only audit logs
Leaves your computer
The entire list, nothing omitted.
- A one-time licence activation
- A brief licence check when the app opens
Each request carries a licence ID, a computer ID (a machine identifier, not a person), and the app version, and goes to redlineclause.com over HTTPS. It never carries a contract, a clause, a file name, or any document content. There is no telemetry and no analytics on what you do inside the app.
The data-flow, drawn honestly.
One trust boundary, the device, and a single arrow for the only crossing Redline makes on its own. The licence service runs on servers outside South Africa and receives a licence ID, a computer ID, and the app version, and nothing from the document itself. Statute links you tap open in your own browser when you choose to, and are not shown here.
Three ways to check the claim yourself.
The best assurance for a local-first tool is that you can confirm it with tools you already trust. We encourage you to run the test.
Watch the network
Run Little Snitch, a host firewall, or a packet capture, then open and analyse a contract.
Nothing leaves the machine during the analysis. You will see local traffic on
127.0.0.1 between Redline and its on-device service, which never leaves the loopback
interface, and the only request that leaves is the small licence check at launch.
Inspect the database
The local data file is encrypted. Run file ~/.redline/default.redline and it
reports data, not a database; run strings over it and you get
ciphertext, not clause text. The key never lives inside the application.
Pull the cable
Once Redline is open, disconnect from the network and keep working for the whole session. Reading, scoring, and the model all run with no connection. The only thing that needs the network is the brief licence check the next time you launch.
On the device, encrypted at rest.
Encrypted at rest. Contract data is encrypted on disk with AES-256, via SQLCipher. The key is generated on the machine at first launch and held in a file readable only by your user account, stored alongside the data rather than inside the application. The key rests on the protection of your operating-system account, and, where full-disk encryption is on, FileVault on macOS or BitLocker on Windows, the data sits behind both layers.
A single-user store you control. The data lives by default in a folder in your
home directory, ~/.redline, which you can move in settings. It is a single-user store
on your own machine, so the only person who can reach it is the person at the keyboard.
The local service is closed to other software. Redline does its analysis in a small service that runs on the same computer, reachable only on the loopback address. It accepts requests only from Redline itself, gated by a fresh random secret minted at each launch, so another program on the machine cannot drive it, and it answers only to local addresses, which turns away attempts to reach it from a web page in a browser. In packaged builds the gate fails closed.
The model runs on your computer. The language model that explains and scores clauses is bundled inside the app and runs on the device. No prompt, clause, or answer is sent to any outside model service. There is no external model interface in the loop.
What the licence sends, and what it never does.
Redline reaches the network in exactly three situations, and you can account for all of them:
A one-time activation when the licence is first entered.
A brief check each time the app opens, which also lets a revoked or moved licence
be picked up.
The SAFLII and Government Gazette links you tap to verify a statute citation,
which open in your browser, when you choose to.
The activation and the per-launch check send a licence ID, a computer ID, and the app version to redlineclause.com, which runs on servers outside South Africa. They are HTTPS requests to that one host, so a firewall can allow them with a single rule. They never send a contract, a clause, a file name, or any document content. There is no telemetry, no analytics on what you do inside the app, and no content reporting.
A checked build and a tamper-evident log.
The build checks itself before it runs. On both macOS and Windows, Redline
checks that its application package has not been altered before it starts, so a tampered copy
refuses to launch. On macOS the build is additionally signed and notarized by Apple, so it opens cleanly.
Native installers are provided for macOS on Apple Silicon and for Windows, and the Windows MSI
deploys silently with msiexec /i Redline.msi /qn through Group Policy, Intune, or SCCM.
Append-only, tamper-evident logs. Redline keeps append-only logs of activity, both licence-lifecycle events and contract-level actions, in the user data directory. Each is sealed with a key created on that install, so a hand-edit of a log is detected the next time the app opens. The logs hold actors, event types, and timestamps, never contract content, and they can be exported as CSV for your firm's own records.
You control retention completely. Because the only copy of your data is on your computer, you own its whole life. Delete a contract in the app and it is gone from the store. Remove the data folder, or the app, and nothing remains. There is no server copy held by us to request the deletion of, and no backup we keep.
Every claim, and how you check it.
| What we say | How it works | How you can check it |
|---|---|---|
| No document content is uploaded | No internet traffic during analysis, only loopback to the on-device service | Watch with Little Snitch, a firewall, or a packet capture; nothing leaves the machine |
| Encrypted at rest | AES-256 via SQLCipher, key held only on your machine | Run file ~/.redline/default.redline; it reports data, not clause text |
| The model is on the device | The model is bundled in the app, with no external model service | Disconnect from the network; explanations still work |
| The local service is closed to other software | Binds to 127.0.0.1 only, needs the per-launch secret, refuses non-loopback hosts |
A request to 127.0.0.1:<port> without the secret returns 401 |
| Only the licence touches the network | One small HTTPS request to redlineclause.com at launch; statute links you tap open in your browser | Watch the network at startup; it carries no document content |
| The app is not tampered with | Integrity-checked at launch on both platforms, signed and notarized on macOS | A modified copy refuses to start |
No cloud, so several questionnaire items do not apply.
A standard vendor questionnaire is written for a service that holds your data on a server. Redline holds nothing, so we would rather name the gaps than imply otherwise. These absences follow from the architecture, not from a thin security program.
- No sub-processors. No contract data is sent to anyone, so there is no third party processing it.
- No cloud SOC 2 or ISO 27001 scope. There is no server of ours to audit.
- No data-residency region. Your data lives on your own computer, under your own controls.
- No data-processing agreement for contract content. We never receive it, so there is nothing for us to process on your behalf.
Your firm stays the responsible party.
Because the review runs on the device and no contract is sent to us, using Redline does not introduce us as an additional operator (POPIA s1) into your processing, and your firm remains the responsible party that determines the purpose and means of processing (POPIA s1). The contracts, and the personal information in them, stay on your computer, so analysing them does not involve a trans-border flow of that data under POPIA s72.
The only traffic that crosses a border is the licence check. It carries no contract content, only the minimal licence and computer identifiers you provide when you take up the licence, used solely to run it. So no contract, and none of the personal information inside it, ever crosses a border under POPIA s72.
POPIA places the security duty on you as the responsible party (s19): appropriate, reasonable technical and organisational measures to protect personal information. Redline is built to support that duty, since on-device processing and encryption at rest keep the data under your control. Because we never process your contract data on your behalf, the operator-contract requirements in POPIA s20 and s21 are not triggered by your use of it.
The Information Regulator is the authority that enforces POPIA. This page describes how Redline handles data. It is not legal advice and not a certification of POPIA compliance, which depends on how your firm processes personal information overall, not on any one tool. Responsibility for compliance, including your own assessment under s19, stays with your firm. Statute references here are paraphrased, frozen at the release, and should be checked against the Government Gazette or SAFLII before you rely on them.
Related reading: POPIA clause review, and how the analysis runs entirely on the device.
Answers for the reviewer and the reader.
Does Redline upload our contracts anywhere?
No. Contracts are read, scored, and stored entirely on the lawyer's own computer. No document is sent to a server, and there is no cloud copy to manage or delete. The only network traffic is a licence check, which carries no contract content.
What exactly leaves my computer?
Only a one-time licence activation and a brief licence check when the app opens. Each request carries a licence ID, a computer ID, and the app version. It never carries a contract, a clause, a file name, or any document content.
Does the model send our clauses to an outside service?
No. The language model that explains and scores clauses is bundled inside the app and runs on the device. No prompt, clause, or answer is sent to any external model service.
Is the data encrypted?
Yes. Contract data is encrypted at rest with AES-256 via SQLCipher. The key is generated on the machine at first launch and held in a file readable only by your user account, stored alongside the data rather than inside the application.
Can I use Redline offline?
Yes. Once the app is open you can disconnect and keep working for the whole session, since reading, scoring, and the model all run with no connection. The brief licence check runs the next time you launch, so a machine kept offline across many launches will eventually need to reconnect.
What happens to our data if we stop using Redline?
You hold the only copy. Delete a contract in the app and it is gone from the store. Remove the data folder, or the app, and nothing remains. There is no server copy held by us to request the deletion of.
Is Redline POPIA compliant?
Redline is built to support your obligations under POPIA, but no tool is a certification of compliance, which depends on how your firm processes personal information overall. Because the review runs on the device and no contract is sent to us, Redline does not become an operator and your firm remains the responsible party.
Ask us for a closer look.
If you are clearing Redline through security or procurement, write to us. We are happy to walk a reviewer through the data flow on a call, including watching the network during a live review so you can see that nothing but the licence check leaves the machine, and to send a short security overview for your file.