How to verify that Stript never uploads your documents
Don't take 'local-first' on trust. Disconnect from the internet, watch the network traffic with Little Snitch or Wireshark, and check the complete list of network requests Stript makes.
Updated
“Your data never touches a server” is a claim every vendor can make. The point of a local-first architecture is that you don’t have to believe it: you can check it yourself, in a few minutes, with tools you already have. This guide shows exactly how, and lists every network request Stript makes so you know what you should (and should not) see.
The two-minute test: pull the plug
The simplest proof needs no tools at all:
- Install Stript and let it download its AI models once (this is the only large download; it happens during setup).
- Disconnect from the internet. Turn off Wi-Fi, unplug the cable, or enable flight mode.
- Open a sensitive document, run detection, review, anonymize, restore.
Everything works identically, because everything runs on your machine. A cloud or “hosted in Germany” anonymizer cannot pass this test: without a connection to its server, it cannot process anything.
The complete list of network requests
Stript’s privacy policy enumerates every request the app makes. There are exactly five kinds, and none carries document content:
| Request | When | What it contains |
|---|---|---|
| AI model download | Once, during setup | The models, fetched from downloads.stript.io and public model repositories. No account, no usage, no document data. |
| License validation | Only if you buy Pro; at most every 30 days | The license key and a generic device label such as “Stript (macOS)”. Never a hostname, never document data. |
| Update check | On app launch | An ordinary fetch of a small static version file. |
| Update download | Only when you click “Install” | The signed update package. |
| Crash reports | Only if you explicitly enable them (off by default) | Technical error data with no document content and no identifiers. |
That is the whole list. If you observe anything else, we want to know about it: support@stript.io.
Watching the traffic yourself
macOS: an outbound firewall like Little Snitch (or the free LuLu) shows every connection an app attempts, live, and lets you block them. Install it, run Stript through a full anonymize-and-restore cycle, and watch the connection list: after the initial model download you will see at most the launch-time update check.
Windows: open Resource Monitor (resmon.exe), select the Network tab, and filter for the Stript process. Or capture with Wireshark and filter by the process’s connections.
Everywhere: Wireshark captures every packet leaving your machine. Start a capture, run Stript, stop the capture, and inspect the destinations. Document content appears in none of them, and if you run the offline test above, there is no traffic at all.
”But Stript isn’t open source”
True, and worth addressing head-on. Stript’s privacy does not rest on a promise or on reading source code; it rests on an architecture you can observe from the outside. Source code shows intent; network traffic shows behavior. A closed-source app that provably makes no network requests during document processing is more verifiable in practice than an open-source cloud service you cannot audit at runtime. The offline test and the traffic inspection above are exactly the checks a skeptical IT department should run, and Stript is built to pass them.
Why this matters under the GDPR
If document content never leaves the device, there is no transfer to a processor and no third-country transfer for that content, which removes the hardest questions of a vendor assessment before they arise. Our subscriber resource Stript as a technical and organizational measure (Art. 32 GDPR) turns this into a ready-to-use answer sheet for your DPO.
Bottom line
Local-first is not a marketing label; it is a testable property. Disconnect from the internet and Stript keeps working. Watch the network traffic and you see exactly the five request types listed above, never your documents. Run the test yourself before you trust any anonymization tool, including ours.