Smallpdf vs RedactVault: Online PDF Tools, Redaction, and Sensitive Documents
A careful comparison of Smallpdf and RedactVault for redacting sensitive PDFs: how each tool handles files, what to look for in privacy claims, and when each one fits the job.
Smallpdf is one of the most widely used online PDF toolkits. If you do occasional PDF work — compress, convert, merge, sign, fill a form, redact a paragraph — you have probably ended up there at some point. RedactVault is a narrower product: a browser-based workflow built specifically around redaction. This post is for people deciding which one to use when the PDF in front of them contains something they would rather not leak.
It is also a useful read if you do not buy either tool. Most of what follows is about how to think about online PDF services in general when sensitive documents are involved.
The short version
Smallpdf is a broad online PDF utility. It does many small tasks competently, has a free tier, and works inside a browser without installing anything. RedactVault is a narrow redaction workflow that also runs in a browser, but is designed around one job rather than dozens.
For ordinary, non-sensitive PDF work, Smallpdf is genuinely convenient. For redacting documents that contain things you do not want anywhere except the people who legitimately need them, the right question shifts from "is this tool easy?" to "where does the file go, what does the tool do to it, and what is left over at the end?"
What "online PDF tool" usually means
The phrase "online PDF tool" sounds like one thing. In practice it covers two very different architectures, and they are easy to confuse.
- A server-processed tool, where the file is uploaded to the vendor over an encrypted connection, the vendor's servers do the work, and the result is sent back. This is the historical default for online PDF utilities because PDF processing used to be too heavy for a browser.
- A browser-processed tool, where the PDF is opened locally and the processing runs inside the page using WebAssembly or JavaScript. The file does not leave the device for the core processing step. The vendor's server may still be involved for accounts, billing, and analytics, but not for the document itself.
Both architectures can be implemented well. They have different implications when the document is sensitive, because the threat model is not the same. Server-processed tools depend on the vendor's retention and access policies. Browser-processed tools depend on what the page is actually doing in your browser.
The honest answer to "which one does Smallpdf use?" is "it depends on the specific tool, and the wording on different Smallpdf pages is not entirely consistent."
How Smallpdf describes its redaction tool
Smallpdf's dedicated redact-pdf page, at the time of writing, says the redaction tool runs 100% in the browser and that nothing is uploaded to their servers. That is a strong claim and, if accurate for the redact tool specifically, it is the right architecture for sensitive work.
Their broader safety and trust-center pages describe a different model for many other tools — files uploaded over TLS, processed on Smallpdf servers in Ireland, and deleted within one hour for free users or kept in account storage for Pro users until deletion is requested. They list ISO/IEC 27001 certification and GDPR compliance, and they describe their servers as being subject to EU data law.
Both descriptions can be true at the same time — different Smallpdf tools may use different architectures. The point is that "online PDF tool" is not a uniform category and you should check the specific tool page for the specific workflow before assuming. If you care, read the current wording on the Smallpdf page for the exact tool you plan to use, look at the trust center, and decide whether that combination is acceptable for the document in front of you.
What real redaction has to do (in any tool)
Before judging any redaction tool, online or otherwise, it is worth being concrete about what a defensible redaction has to accomplish:
- Remove the targeted text from the underlying PDF content, not just cover it with a rectangle. If the text remains selectable or searchable in the export, the redaction is decoration.
- Handle structural surfaces — annotations, comments, bookmarks, form fields, attachments — that can carry copies of the same content.
- Strip metadata: author, original filename, creating application, document title, edit history.
- Survive being opened in a different PDF reader from the one that produced it.
The famous redaction failures — the Manafort filing in 2019 where reporters copied text right out from under the black bars, government documents released with names visible in the outline panel — were all failures at one of those four points. Not the drawing step.
It is also worth being clear about the difference between editing, annotating, compressing, converting, and redacting. A compressor or converter can re-render a PDF in a way that strips some content but is not a redaction tool. An editor lets you change visible content but does not, by itself, scrub hidden surfaces. A drawing tool lets you paint on a page without touching the underlying data. Only a redaction workflow that does all four jobs above can reasonably be called a redaction tool. The verb is doing a lot of work in product marketing.
How RedactVault approaches it
RedactVault is built around redaction as the whole product. The source file is processed in the browser on the user's device for the core redaction workflow. Auto-detection finds patterns like names, account numbers, and dates. A human review step lets the user accept, reject, or add to those detections, and add manual boxes. Export rewrites the underlying content of the PDF, with verification checks before download — falling back to a rasterized page if a particular page cannot be verified.
Some context that is easy to skip: RedactVault's server-side services exist for accounts, billing, support, and analytics. The browser-local processing claim is specifically about the document during the core redaction workflow, not "no server is ever involved in this product." Anyone who tells you a real SaaS product has zero server-side services is either oversimplifying or misleading.
If you want the details, security architecture walks through the processing model. The limitations and accuracy page is honest about what the auto-detection layer does and does not catch.
When Smallpdf is the better choice
Pick Smallpdf when most of these are true:
- You need a general toolbox — compress, convert, merge, fill a form, sign — rather than a redaction-only workflow.
- The document is not particularly sensitive: a public-facing PDF, an internal handout, a flyer.
- You have read the current Smallpdf page for the specific tool you plan to use and you are comfortable with how they describe handling the file.
- You want a free or low-cost option for occasional one-off PDF tasks.
When RedactVault is the better choice
Pick RedactVault when most of these are true:
- Redaction is the actual job, not "edit and also redact a bit."
- You want the source document to stay in the browser for the core redaction step, not because no SaaS is ever acceptable, but because reducing the number of places a sensitive file lives is itself a control.
- You handle documents under privilege, protective orders, HR rules, medical or financial confidentiality, or simply internal policies that prefer device-local processing.
- You want a verified export and a review workflow that makes the common mistakes harder to commit.
A "before you upload" checklist for any online PDF tool
Whichever tool you pick — including RedactVault — these questions are worth asking before sensitive material leaves your control:
- Does this specific tool process the file in the browser, or on the vendor's servers? Check the actual page for the exact tool, not the homepage.
- If the file is uploaded, how long is it retained, and where? Look for a number in hours or days and a server region.
- Are there subprocessors involved (cloud hosts, AI providers, OCR providers)? Their privacy policy usually lists them.
- Does the vendor staff have any access to your files? Most reputable vendors say no. "No" should be in writing.
- Is your account history exposed to a colleague who later looks at the account?
- Does the tool actually redact (remove the underlying content) or only annotate (cover it)? Read the tool's description carefully.
- Are you allowed by your own policies, contracts, or regulatory framework to upload this category of document to a third party at all?
How to decide for your team
A short evaluation tells you more than any comparison article. Pick one non-sensitive sample file that matches what you actually handle. Redact a few items with each tool. Open the exported file in a different PDF reader. Try to select text under the redactions, search the document for a redacted term, and open Document Properties to check the metadata. The tool whose export is harder to break in two minutes of poking is the one you can trust on the real document.
If you want a broader read on this topic, our piece on whether online PDF redaction tools are safe walks through the upload-risk question in more depth.
FAQ
Common questions
Is Smallpdf safe to use for sensitive documents?
"Safe" depends on the document, the tool, and your own policies. Smallpdf describes itself as ISO/IEC 27001 certified and GDPR compliant, with EU-based servers and short retention for most free-tier files. Their redact-pdf page specifically claims the tool runs in your browser without uploading the file. Whether that combination is appropriate for your sensitive document is a judgement only you can make, ideally with your privacy or compliance team.
Does Smallpdf upload my file?
It depends on the specific tool. Smallpdf's public safety pages describe server-side processing with TLS upload and short retention for many tools. Their redact-pdf page claims the redact tool itself runs in the browser without uploading the file. Read the page for the exact tool you plan to use before assuming either model applies.
Does RedactVault upload my file?
In the core redaction workflow, the source file is processed in the browser on your device and is not uploaded to a RedactVault server to be redacted. Accounts, billing, support, and analytics involve server-side services like any normal SaaS product, but the document itself stays in the browser for the core step.
What is the difference between covering text and redacting it?
Covering paints a rectangle on top of the page without changing the underlying PDF content. Anyone who opens the file in another reader can usually select, copy, or search the text under the rectangle. Real redaction rewrites the page so the underlying text is gone, and also handles metadata and other hidden surfaces.
What is the fastest way to test whether a redacted PDF actually held?
Open the file in a different PDF reader from the one that produced it. Try to select text under each redaction, search the document for a redacted term, and check Document Properties for metadata. Two minutes of this catches almost every common leak.
RedactVault
Need a redaction workflow that does not upload the file?
RedactVault is built around redaction as the whole job, with browser-local processing for the core workflow and a verified export. Try the legal redaction page to see the workflow framing or the security architecture page for the processing details.
Explore legal redactionContinue reading
Related articles
Are Online PDF Redaction Tools Safe? What to Check Before Uploading Sensitive Files
Online PDF redaction tools are convenient. Whether one is safe for a particular file is a different question, and the answer depends less on the brand than on what the tool does and what you are about to give it.
The Best Way to Redact Legal Documents Without Uploading Them to the Cloud
"Is the cloud safe" is the wrong question for legal work. The question that matters is whether the document needs to leave your device at all, and what changes about your duties under the rules of professional conduct if it does.
Adobe Redaction vs Dedicated Redaction Tools: What Actually Removes the Data?
Open three different PDF tools and ask them all to "redact" the same paragraph. The page will look identical in every export. Underneath, three completely different things just happened. The verb "redact" hides a lot. This post is about what is actually happening to your file.