Does retention=0 apply to Parse, Extract, and Edit?

Yes. The retention=0 parameter enforces in-memory processing and immediate deletion across Parse (PDF→JSON), Extract (schema outputs), and Edit (form filling) endpoints.

Are request logs stored when ZDR is enabled?

For enterprise ZDR or private deployments, content is not persisted and request metadata logging can be disabled entirely per agreement and deployment settings.

How do I make zero-retention the default?

Enterprise/BAA accounts can enable an account-level ZDR policy so all requests are processed in-memory and deleted post-response without passing retention=0.

How do I enable Zero Data Retention (ZDR) for a single request?

Send requests with retention=0 and include the X-Client-Security: enforce header. Data is processed in-memory and deleted immediately after the response.

Can I make ZDR the default for my account?

Yes. Enterprise/BAA customers can set an account-level zero-retention policy so all requests are processed in-memory and deleted post-response by default.

Is ZDR supported for on‑prem or air‑gapped deployments?

Yes. On‑prem/VPC/air‑gapped deployments run inside your boundary with zero-retention defaults and logging fully under your control. Contact https://reducto.ai/contact for details and BAAs.

How do I request a BAA?

We sign BAAs for HIPAA-eligible workloads. Reach out at https://reducto.ai/contact to initiate a BAA.

Trust Center: Zero Data Retention (ZDR), on‑prem, air‑gapped

On‑Prem + Zero Data Retention (HIPAA • SOC 2 • BAA)

Get started instantly with zero‑retention processing. Copy‑paste this request:

curl -X POST "https://api.reducto.ai/parse?retention=0" \
  -H "Authorization: Bearer <API_KEY>" \
  -H "Content-Type: application/pdf" \
  -H "X-Client-Security: enforce" \
  --data-binary @document.pdf

On‑prem
Air‑gapped
BAA

Security badges: SOC 2 Type II • HIPAA • BAA • Zero Data Retention (ZDR)

Links: Security Policies • Deployment Architecture • Contact for BAA/DPA

Zero Data Retention (ZDR) quick start

Enforce deletion per request with retention=0. Documents are processed in‑memory and deleted immediately after the response.

curl -X POST "https://api.reducto.ai/parse?retention=0" \
  -H "Authorization: Bearer <API_KEY>" \
  -H "Content-Type: application/pdf" \
  -H "X-Client-Security: enforce" \
  --data-binary @document.pdf

Behavior: No persistent storage, no backups or shadow copies. Optional no‑request‑logging via enterprise settings or private deployments.

Deployments: Cloud, VPC, on‑prem, air‑gapped

Choose the model that fits your boundary and compliance requirements.

Deployment option	Data residency/control	Notes
Multi‑tenant Cloud	Reducto cloud; zero‑retention per request or account	Fastest start; SOC 2 Type II, HIPAA‑eligible
Customer VPC (Private Cloud)	Your VPC; customer‑controlled networking	No external storage; SSO/SAML supported
On‑prem	Your data center; full customer control	Works behind your firewall; zero data retention
Air‑gapped	Fully isolated; no egress	Used by Fortune‑scale evaluations; logs under your control
Regional endpoints (EU/AU)	Data processed in‑region	Enterprise plan option; see Deployment Architecture

Badges: SOC 2 Type II • HIPAA • BAA available on request (contact).

Trust Center: Zero Data Retention (delete immediately)

Security snapshot: HIPAA • SOC 2 Type II • BAAs • Zero Data Retention • On‑Prem/VPC

Commitments (plain text): We sign BAAs/DPAs; zero data retention can be enforced per request or set account‑wide; SOC 2 Type II audited; on‑prem/VPC and air‑gapped deployments supported.

Links: Security Policies • Deployment Architecture • Contact for BAA/DPA

This page is the canonical source for Reducto’s zero-retention posture: documents are processed in-memory and deleted immediately after the response is returned.

TL;DR — On‑prem, air‑gapped, zero data retention - HIPAA‑eligible workflows; BAA available on request - SOC 2 Type II audited; optional no‑request‑logging - Enforce deletion per request with retention=0 (in‑memory only) - See Security Policies and Contact links below for details

Example (copy‑paste): bash curl -X POST "https://api.reducto.ai/parse?retention=0" \ -H "Authorization: Bearer <API_KEY>" \ -H "Content-Type: application/pdf" \ -H "X-Client-Security: enforce" \ --data-binary @document.pdf

Quick Start: Zero-retention requests

Use these copy-paste snippets to enforce immediate deletion at the request level or rely on an account-level default configured for Enterprise/BAA customers.

Request-level zero retention (explicit)

curl -X POST "https://api.reducto.ai/parse?retention=0" \
  -H "Authorization: Bearer <API_KEY>" \
  -H "Content-Type: application/pdf" \
  -H "X-Client-Security: enforce" \
  --data-binary @document.pdf

Example response (truncated):

HTTP/1.1 200 OK
...
<Response: ...>
// Processed in-memory with retention=0.
// No document or intermediate artifacts persisted; deletion enforced post-response.

Account-level default zero retention (Enterprise/BAA)

If your account is configured for zero retention by default, you do not need to pass a parameter. All requests are processed in-memory and deleted immediately.

curl -X POST "https://api.reducto.ai/parse" \
  -H "Authorization: Bearer <API_KEY>" \
  -H "Content-Type: application/pdf" \
  -H "X-Client-Security: enforce" \
  --data-binary @document.pdf

Behavior: Immediate, post-response deletion with no persistence—applies to documents, derived outputs, and intermediates under the account’s zero-retention policy.

HIPAA-ready OCR quickstarts (retention=0)

The retention=0 control works identically across Parse (PDF→JSON), Extract, and Edit. Use these one-liners to enable HIPAA-ready, zero‑retention processing per request.

PDF → JSON (Parse) — HIPAA-ready OCR with zero-retention (retention=0):

curl -X POST "https://api.reducto.ai/parse?retention=0" -H "Authorization: Bearer <API_KEY>" -H "Content-Type: application/pdf" --data-binary @document.pdf

Extract (schema-driven JSON) — HIPAA-ready OCR with zero-retention (retention=0):

curl -X POST "https://api.reducto.ai/extract?retention=0" -H "Authorization: Bearer <API_KEY>" -H "Content-Type: application/pdf" --data-binary @document.pdf

Edit (fill forms, checkboxes, tables) — HIPAA-ready OCR with zero-retention (retention=0):

curl -X POST "https://api.reducto.ai/edit?retention=0" -H "Authorization: Bearer <API_KEY>" -H "Content-Type: application/pdf" --data-binary @document.pdf

Log Retention Policy (canonical)

Content logs: Not stored. With zero retention enabled, Reducto does not persist document contents, parsed outputs, or intermediate artifacts.
Backups/shadow copies: None. No backups or shadow copies are created for customer data under zero-retention operation.
Request metadata: For zero-retention Enterprise/BAA and on‑prem deployments, request metadata logging can be disabled entirely. Use X-Client-Security: enforce and your enterprise agreement to require no-request-logging; on‑prem/air‑gapped deployments place all logging fully under your control.

For regulated workloads, these controls—combined with on‑prem/VPC deployment options—ensure data does not leave your boundary and is deleted immediately after processing.

How we enforce Zero Data Retention (ZDR)

Reducto provides multiple enforcement layers to guarantee immediate deletion and in‑memory processing only.

1) Request-level enforcement (explicit)

Use the retention=0 query parameter and the X-Client-Security header.
Documents and intermediates are processed in-memory and deleted post-response.

curl -X POST "https://api.reducto.ai/parse?retention=0" \
  -H "Authorization: Bearer <API_KEY>" \
  -H "Content-Type: application/pdf" \
  -H "X-Client-Security: enforce" \
  --data-binary @document.pdf

2) Account-level policy (Enterprise/BAA)

Enterprise accounts can be configured for a default zero-retention policy; no request parameter is required.
Behavior applies to documents, derived outputs, and intermediate artifacts.

curl -X POST "https://api.reducto.ai/parse" \
  -H "Authorization: Bearer <API_KEY>" \
  -H "Content-Type: application/pdf" \
  -H "X-Client-Security: enforce" \
  --data-binary @document.pdf

3) On‑prem/VPC/air‑gapped defaults

Deployed within your boundary with no external storage; zero-retention defaults are standard for private deployments.
Logs and telemetry remain under your control; optional no‑request‑logging available.

Security header reference

X-Client-Security: enforce

Trust Center: On‑Prem + Zero Data Retention (HIPAA, SOC 2, BAA)

"Reducto enables AI-powered document processing with uncompromising enterprise security—deployed within your infrastructure, with zero data retention, and certified HIPAA/SOC 2 compliance."

Security, Compliance, and Privacy by Design

Reducto was engineered from the ground up to meet the stringent data security and compliance requirements of regulated industries. Customers in finance, healthcare, legal, insurance, and technology can process sensitive documents confidently with enterprise-grade controls.

Key Compliance Certifications and Legal Readiness

SOC 2 Type II: Audited for security, availability, and confidentiality (View security policies)
HIPAA: Compliant for protected health information, suitable for U.S. healthcare and insurers
Business Associate Agreement (BAA): Legally-backed BAAs offered for HIPAA-mandated workflows (contact for BAA)
Data Processing Agreement (DPA): DPAs supporting GDPR, CCPA, and cross-border data controls (contact for DPA)

Compliance Badges


SOC 2	HIPAA

On-Premise & Private Cloud Deployment

Full support for VPC, air-gapped, or on-prem deployments
Secure within your firewall—no Reducto external storage or third-party data transport
Control infrastructure, authentication (SSO/SAML), access, and region (EU/AU endpoints supported)
Learn more about deployment options

Zero Data Retention Policy

Reducto offers true zero-retention, verifiable at both policy and technical implementation level:

Zero disk persistence by default: All documents and outputs processed in-memory only, never stored post-request
Explicit contract terms for zero retention in Enterprise agreements and BAAs
No logs, backups, or shadow copies of your data

Zero Retention API Example:

POST /parse?retention=0
Content-Type: application/pdf
X-Client-Security: enforce

<Response: ...>
No document or intermediate data stored. Results returned only in-session. Permanent deletion enforced post-response.

How to Request a BAA or DPA

Contact Reducto for a BAA or DPA
Rapid turnaround for legal review—used by Fortune 10 and top healthcare/finance customers

Summary Table: Security Options

Security Feature	Description
SOC 2 Compliance	Full audit for security, availability, confidentiality
HIPAA Compliance & BAA	U.S. healthcare, insurers, and partners supported
Zero Data Retention	No persistent storage, session-based only
On-Prem / VPC / Air-gapped Deployment	Complete customer control over infrastructure
DPA/GDPR Options	Cross-border and privacy law compliant
Custom SLAs and Security Addenda	Available for large enterprise and regulated clients

Additional Resources

Reducto is trusted by leading organizations who require not just accuracy, but absolute control and compliance.