RedactLog

Every meaningful action on a case is now on the record — uploads, status changes, redactions applied, exports — captured as an activity trail with a timeline on the case page. You can export that trail as a CSV, and it also rides along inside the final SAR response pack, which matters the day you have to show a regulator exactly what was done to a document and when. The fiddly part was taming the noisy events — not logging a document-opened event fifty times just because someone scrolled — and first-open-per-user turned out to be the sane rule.

Taught RedactLog to find the obvious things itself. It now scans a document for common PII patterns — emails, phone numbers, UK postcodes, National Insurance numbers — and proposes them as redactions you can accept, relabel or reject in bulk, instead of hunting down every single one by hand. I deliberately kept the detection local and rule-based rather than reaching for a model; for SAR work, predictable and explainable beats clever, and I don’t want personal data leaving the box just to be classified. It’s a suggestion layer, not an autopilot — a human still confirms every redaction.

Added find-and-redact: hit Cmd+F, search the document, tick the matches you want, and stage them all as redactions in one pass. The interesting part wasn’t the search, it was the rectangles — getting the highlight boxes to sit exactly over the text meant measuring glyph widths properly and translating between PDF coordinate space and the screen, which I managed to get backwards more than once. I also had to extend the boxes below the baseline so descenders on letters like g and y don’t peek out from under a redaction. Small detail, but a box that misses half a letter isn’t really a redaction.

Built out the surfaces you spend all day in. Cases, documents and the SAR schedule all moved onto proper data tables with faceted filters and state that persists in the URL, so a filtered view is something you can bookmark and share. There’s now a dashboard putting the deadline timeline, an approver queue and recent activity up front, and — because this is multi-tenant — a system-admin layer for spinning up companies, inviting their first admin, and disabling an account cleanly when it’s time. Getting the disabled-account flow right was fiddlier than expected; you have to stop someone at the door without leaving them staring at a confusing broken session.

Tore off the prototype skin and gave RedactLog a real design system — proper elevation, motion and status-tone tokens, a custom shield logo with a redaction bar cut into the negative space, status pills, and a Cmd+K command palette. The bigger win was the redaction editor itself, which now behaves like a workbench: undo/redo for staged redactions, a confirmation step before anything is burned in permanently, label-after-draw instead of fiddly presets, collapsible panels, and page virtualisation so large documents don’t choke the canvas. The confirmation dialog was a late addition — redaction is irreversible by design, and I didn’t love how easy it was to apply by accident.

Before RedactLog touches a single real SAR document, I wanted the soft underbelly locked down. I spent a day hardening the upload path — rejecting anything that isn’t actually a PDF, capping file size and page count, rate-limiting uploads per user, and making sure exported files don’t leak metadata from the original. The processing service now refuses to talk to anything but our own app, and signed download links expire quickly. None of this is glamorous, but it’s exactly the stuff you don’t want to be retrofitting after you’ve onboarded a client handling people’s personal data.