For journalists & newsrooms

Redact documents for publication — so the text is gone, not just hidden.

A black rectangle drawn over a name still has the name underneath it — anyone can copy-paste it out or run pdftotext and read what you hid. Lacuna removes the sensitive text from the PDF's text layer itself, auto-detects it across an entire leak or document dump, and records every decision in a hash-chained tamper-evident audit log.

Why black boxes fail

A black box is a picture, not a deletion.

Most “redacted” PDFs are made by drawing a filled rectangle over the text in a PDF editor. That rectangle is just another object painted on top — the original characters are still sitting in the page's content stream underneath it. Select the area and copy, open the file in a different viewer, or run it through pdftotext, and the words you meant to hide come right back out.

It's how supposedly-redacted court filings and investigations have been un-redacted after they were published — the text was never removed, only covered. And the visible page is only half of it: a PDF also carries metadata, embedded files, and prior revisions that can leak the same names long after the black boxes look convincing.

$ pdftotext leaked-memo.pdf - | grep "Doe"
Doe, Jonathan ← still there.
With byte-level removal from the PDF text layer, that same command returns nothing.
The workflow

Redact the dump, not one box at a time.

A 900-page leak is the same three steps as a single memo.

01
Detect

Upload one document or a whole batch. Lacuna finds names, addresses, phone numbers, emails, SSNs, and account numbers across every page automatically — no hunting for them rectangle by rectangle.

02
Review

You see every detected span in context and decide what goes and what stays — redact a source's name, keep a public official's. Nothing is touched until you commit, and you can flag a span for a second read before you do.

03
Commit

Lacuna removes the approved text from the PDF's text layer and runs a sanitization pass that strips embedded files, scripts, attachments, and document metadata. What you download is a clean PDF, ready to publish.

The output is the same bytes you can re-verify yourself with pdftotext — not a “trust us” black box.

The receipts

Every redaction leaves a record — the receipt, not the text.

Every job is written to a hash-chained tamper-evident audit log: which spans were detected, what you kept, what you removed, and when you committed it. Each entry is linked to the one before it by a SHA-256 hash, so if a single record is altered or dropped, the chain stops verifying — the tampering shows.

Crucially, the log records that a redaction happened, never what was underneath it. So it's safe to hand to an editor, a fact-checker, or a lawyer when a published redaction gets questioned — you can show your work without re-exposing the very names you removed.

Verify the chain at any time and quote the chain-head hash to support. The integrity record travels with the document, not the secret.

Where your documents go

Your documents don't get shipped to someone else's AI.

Detection runs on Lacuna's own infrastructure — a deterministic pattern engine plus a compact AI model that labels sensitive spans on our workers. Neither pass transmits your page text to any third-party AI service. There's no “we'll just run it through a chatbot” step happening out of sight.

For a reporter protecting a source, that's the difference that matters: the names you're trying to redact aren't copied into an outside vendor's logs in order to find them. Source files are deleted from primary storage when the job completes; encrypted backups are purged on a fixed schedule. The full retention and deletion model is spelled out here.

Publish the document. Not the names.

Byte-level PDF redaction with a tamper-evident audit log — free to start, no card required.