For FOIA & public-records officers

Redact public records for release — and defend every redaction.

Records requests come with statutory clocks and growing volumes — and every release has to have the exempt material removed first: personal information, contact details, anything you've determined is withholdable. Doing it by hand across hundreds of pages per request is slow, and a black box that's still recoverable turns a release into a breach. Lacuna auto-detects sensitive spans across the whole request, lets you review every one, removes them from the PDF's text layer, and records every decision in a hash-chained tamper-evident audit log.

Why black boxes fail

A black box in a release is a breach waiting to happen.

A filled rectangle over text is just an object painted on top — the characters are still in the content stream underneath, recoverable by anyone who copy-pastes or runs pdftotext. A released record goes straight to the requester, who can — and will — test it.

That's how withheld information has surfaced in records that looked redacted on screen — the data was never removed, only covered. And the visible page is only half of it: PDFs also carry metadata, embedded files, and prior revisions that leak the same information.

$ pdftotext release-2026-0417.pdf - | grep "Doe"
Doe, Jonathan ← still there.
With byte-level removal from the PDF text layer, that same command returns nothing.
The workflow

Redact the request, not one page at a time.

A 600-page request is the same three steps as a single memo.

01
Detect

Upload one document or the full responsive set. Lacuna finds names, addresses, phone numbers, emails, SSNs, and account numbers across every page automatically.

02
Review

You see every detected span in context and decide what to release and what to withhold — you apply the exemptions; Lacuna surfaces the candidates. Nothing is touched until you commit, and you can flag a span for a second read.

03
Commit

Lacuna removes the approved text from the PDF's text layer and runs a sanitization pass that strips embedded files, scripts, attachments, and document metadata. What you download is a clean PDF, ready to release.

The output is the same bytes you can re-verify yourself with pdftotext — not a “trust us” black box.

The receipts

When a withholding is appealed, show your work.

Every job is written to a hash-chained tamper-evident audit log: which spans were detected, what you released, what you withheld, and when you committed it. Each entry is linked to the one before it by a SHA-256 hash, so an altered or dropped record breaks the chain.

The log records that a redaction happened, never what was underneath it — so it's safe to put in front of a requester or a reviewing court without re-exposing the very information you withheld. If a withholding is appealed, you can account for exactly what was done.

Where your documents go

Records don't get shipped to someone else's AI.

Detection runs on Lacuna's own infrastructure — a deterministic pattern engine plus a compact AI model that labels sensitive spans on our workers. Neither pass transmits your page text to any third-party AI service. There's no “we'll just run it through a chatbot” step happening out of sight.

For an agency handling residents' personal information, that's the difference that matters: the data you're redacting isn't copied into an outside vendor's logs to be found. Source files are deleted from primary storage when the job completes; encrypted backups are purged on a fixed schedule. The full retention and deletion model is spelled out here.

Release with confidence.

Bulk PDF redaction with a tamper-evident audit log — built for the public-records queue.