Stript as a technical and organizational measure (Art. 32 GDPR)
The document for your internal sign-off. Introducing Stript in a firm, practice, or company means answering two sets of questions: your data protection officer’s and your IT or vendor assessment’s. This page answers both. You are welcome to adapt the text for internal use.
Note: This document is factual information about Stript’s architecture and a drafting aid. It is not legal advice. The data protection assessment of your specific case remains yours and your DPO’s.
The core statement in one paragraph
Stript is a local desktop application that detects personal data in documents and replaces it with placeholders before a text is given to an external AI tool. All document processing (analysis, anonymization, restoration) happens exclusively on the user’s device. Document content is never transmitted to the vendor or to any third party. Using Stript is therefore data minimization at the source: what leaves the device toward an AI service no longer contains real names.
Where this sits under the GDPR
- Art. 32(1)(a) GDPR explicitly names pseudonymization as an appropriate technical and organizational measure. Stript implements exactly that: consistent placeholders (e.g. [PERSON_1]) replace the real data, and the mapping table remains AES-256-GCM-encrypted on the device.
- Art. 25 GDPR (data protection by design): the measure applies before data leaves the device, not after the fact.
- Art. 5(1)(c) GDPR (data minimization): only the anonymized text reaches the external AI tool; the amount of personal data transferred is reduced to what the purpose requires (normally: none).
- Important for your own assessment: pseudonymized data remains personal data as long as the mapping table exists. With Stript, however, that table stays encrypted with the controller alone; the AI provider never receives it. Whether a specific output can be considered anonymous vis-Ă -vis the AI provider is your case-by-case assessment; the user confirms every detection before anonymization.
Why no data processing agreement is needed for document processing
A data processing agreement under Art. 28 GDPR is required when a third party processes personal data on your behalf. With Stript, no such processing by the vendor takes place: the application runs entirely locally, like a word processor, and document content never reaches the vendor’s servers. Where no processing by a third party occurs, no processor relationship arises. This distinguishes Stript from cloud-based anonymization services (including those hosted in Germany), where the document is uploaded for processing and a DPA is therefore required.
For the few peripheral processes that have nothing to do with document content (website, purchase and licensing, optional crash reports), the vendor’s Privacy Policy applies.
Vendor-assessment answer sheet
The typical questions of a vendor or tool assessment, with the answers that apply to Stript:
| Assessment question | Answer for Stript |
|---|---|
| Where are documents processed? | Exclusively on the user’s device. No upload, no cloud processing. |
| Where are documents stored? | Locally on the device, encrypted (AES-256-GCM); keys in the operating system keychain. Deletable by the user at any time. |
| Which subprocessors have access to document content? | None. Document content does not leave the device. |
| Is a DPA under Art. 28 GDPR required? | Not for document processing, since no processing by the vendor takes place (see above). |
| Is document content transferred to third countries? | No. |
| Which network connections does the application make? | Exhaustively: a one-time download of the AI models during setup, license validation (at most every 30 days, without document data), an update check on launch, an update download only at the user’s initiative, and optional crash reports that are off by default and contain no document content. Details in the Privacy Policy, Section 2.6. |
| Can this be verified? | Yes. After the model download Stript works fully offline; network activity can be inspected with built-in tools or Little Snitch/Wireshark. Walkthrough: How to verify our claims. |
| Is there telemetry or usage data? | No. No usage telemetry, no content telemetry. Crash reports only after explicit opt-in, without content and without identifiers. |
| How is accountability supported? | The application keeps a tamper-evident processing log (hash chain) containing no content data; mapping tables can be exported and demonstrably destroyed (destruction certificate). |
| What is the human’s role? | Every detection is reviewed and confirmed by the user before anonymization; the application never decides alone. |
Suggested wording for your records of processing / TOM list
“Before external AI services are used, documents are processed with anonymization software running locally on the device. Personal data is detected, reviewed by the operator, and replaced with consistent placeholders; only the cleaned text is passed to the AI service. The mapping table remains encrypted (AES-256-GCM) on the device and is not transmitted to third parties. The software transmits no document content to its vendor (local processing, verifiably able to run offline).”
Limits you should know
Honesty is part of a defensible TOM description:
- Stript detects direct identifiers (names, addresses, IBANs, case numbers, and more). Indirect identifiability from context (a rare combination of role, place, and date) cannot be fully excluded by any tool; that is why human review stays anchored in the workflow.
- Detection is a very good first pass, not a substitute for the operator’s confirmation. That is precisely why the review step is a mandatory part of the flow.
- Your use of the external AI service itself (with the anonymized text) is assessed independently, by your own standards.
As of July 2026. This document is maintained; the current version lives at this address.