Many online PDF services upload your files to a server, process them there, and send back the result. That can be fine for public documents — but it's a poor fit for contracts, medical forms, passports, or financial records.
What actually happens when you "upload" a PDF
With a typical server-based tool:
- Your file travels over the internet to the provider's servers
- It sits in server storage (and often in backups, logs, or caches) while being processed
- The result is sent back to you
- The provider promises to delete the original — usually "within a few hours"
Every step adds exposure: the transfer, the storage, the staff and subprocessors with server access, and the breach risk for as long as any copy exists. A deletion policy is a promise, not a guarantee.
How in-browser processing removes the risk
When a tool runs entirely in your browser — the way every CommandPDF tool does — the architecture changes:
- The "upload" is just your browser opening the file locally; no bytes leave your device
- Processing happens in your browser's memory using WebAssembly
- The "download" writes the result straight to your disk
- Close the tab and nothing remains anywhere
You can verify this yourself: load a CommandPDF tool, disconnect from the internet, and it still works. A server-based tool can't do that.
Documents that should never touch a server
- Identity documents — passports, national ID cards, driver's licenses
- Contracts and NDAs under confidentiality clauses
- Medical records (HIPAA and similar regulations apply)
- Financial statements, tax filings, payroll documents
- Legal filings and case material
- Anything covered by your employer's data-handling policy
For organizations, server-based tools can also create compliance problems: sending a client's data to a third-party server may itself violate GDPR, HIPAA, or contractual data-processing agreements — regardless of whether anything ever leaks.
Practical privacy habits for PDF work
- Prefer tools that state clearly that processing is local — and test the offline trick above
- Strip hidden data before sharing: PDFs carry author names, software versions and edit history — use Remove Metadata
- Redact properly, don't just black out: a drawn black box leaves the text underneath selectable. Use Find & Redact, which removes the text itself
- Sanitize documents from unknown sources with Sanitize PDF — it strips JavaScript, embedded files and other active content
- Encrypt before emailing sensitive files with Encrypt PDF and share the password through a different channel
- Flatten filled forms with Flatten PDF so field history can't be recovered
Frequently asked questions
If nothing is uploaded, how can the tools work? Modern browsers run near-native code via WebAssembly. CommandPDF ships the same engines desktop software uses (PDF.js, pdf-lib, qpdf, LibreOffice compiled to WASM) and runs them on your device.
Is local processing slower? For typical documents it's faster — there's no upload/download wait. Very heavy jobs depend on your device's speed rather than a server's.
Does CommandPDF see anything at all? The site serves the application code and anonymous usage analytics. Your documents and their contents are never transmitted.
Conclusion
Privacy policies tell you what a company intends to do with your files. Architecture tells you what it can do. A tool that never receives your document can't leak it, sell it, or be forced to hand it over.
Browse all 99 private, in-browser tools →
Related guides: