PrivacyScrubber

Initializing local security environment...

[MEMORY: SECURE] [NETWORK: ISOLATED]
Technical Security Reference

Zero-Trust Architecture & Privacy Proof

This page documents the technical architecture, data flow, and security controls that enforce PrivacyScrubber's Zero-Trust Data Sanitization (ZTDS) guarantee. Written for security engineers, CISOs, and AI platform reviewers who need verifiable evidence — not marketing claims.

Airplane Mode Verified
No Server
No Storage of PII
Independently Verifiable

1. Data Flow Architecture

Every byte of your input travels this exact path — and never exits the browser boundary:

Input
User text
Browser JS heap
processText()
Output
Tokenized text
sessionMap
JS memory only

There is no step between "User text" and "Tokenized text" that involves a network socket, file I/O, or inter-process communication of any kind.

2. The sessionMap — Memory-Only Session State

The sessionMap is the key-value store that maps tokens like [NAME_1] back to their originals. Its storage rules are the most critical security invariant in the codebase.

What DOES happen
  • • Stored as a plain JS let variable in heap memory
  • • Scoped to the page session lifetime
  • • Destroyed instantly on tab close or page reload
  • • Accessible only to same-origin code on that tab
What NEVER happens
  • • Written to localStorage or sessionStorage
  • • Written to IndexedDB or cookies
  • • Serialized and sent anywhere
  • • Logged, cached, or backed up
// app.js — the complete definition of sessionMap
let sessionMap = {};  // JS heap only. Never persisted.

// On each Scrub: entries added  →  { "[NAME_1]": "John Doe" }
// On Clear or tab close: garbage collected automatically

3. Third-Party Dependency Audit

Every external script loaded by PrivacyScrubber, what it does, and whether it touches user data:

Tesseract.js (OCR)
Runs optical character recognition on document images (PRO only)
✓ Zero data transmission

Tesseract.js compiles the Tesseract C++ engine to WebAssembly and runs it in a browser Web Worker. Image pixels are processed entirely on device. The WASM worker has no fetch() or network access post-load.

pdf.js (Mozilla)
Renders PDF files in-browser for text extraction (PRO only)
✓ Zero data transmission

pdf.js is a client-side PDF renderer. It reads the ArrayBuffer of the locally-selected file via the browser's File API. No file content, no extracted text, and no metadata is ever sent to any server.

mammoth.js (DOCX parsing)
Parses .docx files into plain text
✓ Zero data transmission

Pure client-side ZIP/XML parser. Reads the file's ArrayBuffer via FileReader. The library has no remote dependencies and makes no network calls.

PayPal SDK
Processes one-time PRO payment
⚠ Loads only on PRO modal open

The PayPal SDK is lazy-loaded — the script tag is injected dynamically only when you click "Get PRO Access". Users who never open the PRO modal generate zero PayPal network calls. The SDK does not have access to your pasted text or sessionMap.

Vercel Analytics & Speed Insights
Aggregate page performance metrics
⚠ No PII — URL + timing only

Vercel Analytics transmits the visited URL path and performance timing (no cookies, no fingerprinting, GDPR-compliant by design). It does not receive any text you paste into the tool. The Airplane Mode guarantee applies to the PII processing workflow; analytics is a passive performance observer that runs before you interact with the tool.

4. Chrome Extension — Least Privilege Model

The PrivacyScrubber Chrome Extension is built on the principle of least privilege. Every permission has a specific, minimal justification. No permission is bundled "just in case."

contextMenus

Registers the "Scrub PII" right-click menu item. Required for the right-click workflow. Does not grant access to page content.

activeTab

Grants temporary access only to the tab the user actively right-clicked on, only at the moment of interaction. Expires immediately after. Not a blanket tab-reading permission.

scripting

Allows injecting content.js on-demand into the specific tab the user right-clicked. The script only renders a toast notification — it reads no page content.

clipboardWrite

Allows the "Copy" button to write scrubbed text to clipboard. This is a write-only permission — the extension cannot read the clipboard.

storage

Used exclusively for chrome.storage.session to pass selected text from the context menu to the popup. Session storage auto-clears when the browser closes. No PII is ever written to chrome.storage.local or sync.

host_permissions: [] — Intentionally Empty

The extension declares zero host permissions. This means the extension has no declared capability to access content on any website — not ChatGPT, not your bank, not any domain. Chrome enforces this at the API level; it's not just a policy statement. This is the single most important privacy guarantee of the extension architecture.

5. Independent Verification Protocol

You don't have to trust us. Here's how to verify the zero-network claim in under 2 minutes:

Method A — DevTools Network Tab

  1. Open privacyscrubber.com and wait for full page load
  2. Open Chrome DevTools → Network tab (F12 or Cmd+Option+I)
  3. Click the 🚫 "Clear" button to remove all existing entries
  4. Paste any sensitive text into the scrubber tool textarea
  5. Click "Scrub PII" — observe the Network tab
  6. Expected result: Zero new network requests. Your text never left the browser.

Method B — Airplane Mode Test

  1. Load privacyscrubber.com in your browser
  2. Wait for the page to fully load (all CDN assets cached)
  3. Disconnect from the internet (enable Airplane Mode or disable Wi-Fi)
  4. Paste text → click Scrub PII
  5. Expected result: Full functionality. Tokens generated. Reverse scrub works. No errors.

6. Compliance Alignment

PrivacyScrubber's architecture is designed to align with the following frameworks. Use this when completing vendor questionnaires:

GDPR Article 25 — Privacy by Design

No personal data is collected, processed on a server, or retained. Processing is performed client-side with no data minimization obligation.

CCPA — No Sale of Personal Information

No personal information is collected or stored. There is nothing to sell, share, or disclose to third parties.

ISO 27001 A.8.11 — Data Masking

PII is tokenized before reaching any AI tool. The tokenization key (sessionMap) never leaves the user's device.

HIPAA — Minimum Necessary Standard

PHI entered into the tool is never transmitted. Users can verify this using both verification methods above before submitting any HIPAA-regulated information to an AI model.

Frequently Asked Questions

Does PrivacyScrubber send any data to a server?
No. All PII detection runs in your browser's JavaScript engine using regex and pattern matching. The text you paste never leaves your device. Verify this yourself using the Airplane Mode test or the DevTools Network tab method described above.
Can I use this at my company for regulated data?
Yes. Because the tool is 100% client-side, there is no data processor relationship to establish, no DPA to sign, and no vendor risk assessment needed for the scrubbing functionality itself. The CISO AI Guide at /ciso-ai-guide includes a formal policy template you can adapt.
What happens to my text when I close the tab?
Everything is permanently destroyed. The sessionMap object and all text you pasted live only in JavaScript heap memory. When the tab is closed, the browser's garbage collector reclaims all memory. There is no recovery path — by design.
Can I audit the source code?
Yes. Right-click → View Page Source, or use Chrome DevTools → Sources tab. The entire application runs in three files: index.html, app.js, and styles.css. There is no minification, obfuscation, or build step that obscures the logic.

Ready to verify it yourself?

Load the tool, enable Airplane Mode, and scrub a test document. The proof is in the network tab.

Open the Tool Free CISO AI Guide →