If you are an enterprise procurement officer, Legal Counsel, or Data Protection Officer (DPO) reviewing PrivacyScrubber, this page explains why you can bypass standard Vendor Risk Assessments and Data Processing Agreements (DPAs).
The Short Answer
PrivacyScrubber does not collect, transmit, store, or process any of your raw PII data on our servers. Therefore, under the GDPR, CCPA, and HIPAA, PrivacyScrubber is not a "Data Processor." Because we are not a Data Processor, a Data Processing Agreement (DPA) is legally inapplicable and unnecessary.
1. How is this possible?
Traditional SaaS products send your data to an API (e.g., AWS, Azure) to be processed. PrivacyScrubber works entirely inside your browser's local sandbox using WebAssembly and Vanilla JS. It is mathematically impossible for us to process your data, because your data never reaches us.
2. The "Airplane Mode" Proof
You can independently verify our zero-data-transmission claim. Load the app, disconnect your computer from the internet (turn on Airplane Mode), and process a document. It will sanitize perfectly. A tool that works without the internet cannot be exfiltrating data to the cloud.
3. What about the SessionMap?
The SessionMap (which maps tokens like [NAME_1] back to "John Doe") is stored strictly in volatile RAM. It is never written to localStorage, IndexedDB, or cookies. The exact moment the browser tab is closed, the mapping is destroyed. There are no logs, no telemetry, and no hidden databases.
Need this in a formal memo?
You can download our CISO AI Security Blueprint to attach to your internal compliance records as formal technical proof of our non-processor status.